MIT Information Systems

Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]


Document icon Kerberos Preferences on Mac OS 8.x & 9.x Documentation

This web page discusses the Kerberos Preferences file: what's in it, where it goes, and how to configure it for distribution at your site. This page applies to both Kerberos for Macintosh 4.0.x on Mac OS 8.x & 9.x and Kerberos for Macintosh 3.5.

The information on this page applies only to Mac OS 8.x & 9.x. For Mac OS X preferences/configuration information, click here.


About the Kerberos Preferences File

Kerberos Preferences File Locations (or, "Why are there two Kerberos Preferences files?")

What to Install Where

About Kerberos Configuration Information

About the Kerberos Login Library Preferences

Creating the Kerberos Library Configuration for Your Site


About the Kerberos Preferences File

The Kerberos Preferences file is where the Kerberos v4 and v5 configuration and Kerberos Login Library preferences are stored.

The Kerberos Preferences file stores this information in both its data and resource forks. The data fork contains the realm and server configuration information (the info that would be found in the krb5.conf file on Unix). See the Kerberos Configuration section for more information.

The resource fork may contain the following resources (but not every Kerberos Preferences file will have all of these - if the user has not changed preferences from the default, the resources will not be created):

On most systems there will be two Kerberos Preferences files. See the next section for more information about why this is so.

Kerberos Preferences File Locations (or, "Why are there two Kerberos Preferences files?")

Kerberos for Macintosh supports and looks for two copies of the Kerberos Preferences file - a "user" Kerberos Preferences file, containing the preferences for an individual user, and a "system" Kerberos Preferences file that contains the defaults to be used by all users of the computer.

On Mac OS 8 and 9, the Kerberos preferences file name is Kerberos Preferences . The user Kerberos Preferences is located in the Preferences folder and the system Kerberos Preferences is located in the Application Support folder (both inside the System Folder).

KfM has the two preferences files to better support Macs with Multiple Users turned on. When Multiple Users is enabled in Mac OS 9, each user has their own Preferences folder, but all users share the same Application Support folder. So if a machine has Multiple Users enabled, and an installer installs the default Kerberos Preferences into Preferences, only the current user will get a Kerberos Preferences file - other users won't. However, if the installer puts the Kerberos Preferences file in Application Support, all users will have access to it. (All other pieces of KfM are already installed in locations accessible by all users.)

When KfM reads preferences, it first looks for the preferences in the user Kerberos preferences file, and if it doesn't find them, then looks for them in the system Kerberos preferences. Since there are different sets of preferences, some may be read from the user preferences and others from the system preferences if they aren't in the user preferences.

If no preferences file exist when KfM attempts to read preferences, KfM creates a preferences file from the stored defauls. The Kerberos Library shared library has resources which contain copies of the realm configuration and Kerberos Login Library preferences that are used to generate a default Kerberos Preferences when none exist.

However, the user preferences must contain a complete set of Kerberos realm and server configuration information, or none at all - you cannot include partial configuration information in the user file and have other parts read from the system preferences. The typical and preferred case is to have the Kerberos configuration information in the system preferences, and each user has a preferences file that contains their Kerberos Login Library preferences (as set in the Kerberos control panel's Preferences dialog). Having just a user preferences file and no system preferences file to fall back on is permitted, but not recommended. If there is a full set of realm information in both preference locations, KfM will attempt to meld the two sets of information together - you may see realms listed twice.

When KfM writes preferences, it writes them to the user preferences file, not the system preferences file. That way each user gets their customized preferences, but there is a core default Kerberos preferences file for each new user. If there is no existing user Kerberos preferences file, one is created. As a result, the user Kerberos preferences may not have all the resources the system Kerberos preferences has, because the user has not changed all the preferences.

What To Install Where

When you are creating a distribution or installer for your site, you should distribute and install a system Kerberos Preferences file and a Kerberos Library file configured for your site. Information on how to create and modify these files is in the following sections.

On Mac OS 8 and 9, the system Kerberos Preferences file needs to be installed in the same folder as the Kerberos Library and Kerberos Support Library shared library files for it to be found. On Mac OS 8.6 and later, we recommend that you install them in a "Kerberos" subfolder in Application Support.

However if you're supporting system versions less than 8.6 with your installer (KfM supports Mac OS 8.1 and higher), you need to install the Kerberos Library, Kerberos Support Library, and system Kerberos Preferences in the Extensions folder, not the Application Support folder, due to bugs in the shared library search path procedures. See the Installation Location of Shared Libraries section of the KfM Installer documentation for more information.

About Kerberos Configuration Information

The Kerberos v4 and v5 configurations are stored in the data fork of Kerberos Preferences. The defaults used to create a preferences file when one does not exist can be found in resource 'pfdf' 128 of the Kerberos Library shared library in data fork format.

This text is similar to that of krb5.conf on Unix machines or krb5.ini on Windows machines. The configuration tells Kerberos for Macintosh what realms exist, what Kerberos versions are supported by them, and where to find the servers. You should edit this file for your site by opening the Kerberos Preferences file in a text editor that preserves file type/creator codes (ie: BBEdit or CodeWarrior; but not SimpleText or Microsoft Word).

Once you are done editing the Kerberos preferences file, you should reboot, and then you need to use the "Edit Favorite Realms" feature of the Kerberos control panel to add your realms to the pop-up menu in the Login dialog.

Here is an example Kerberos configuration:

	[libdefaults]
		default_realm = ATHENA.MIT.EDU
		ticket_lifetime = 600
		default_tkt_enctypes = des-cbc-crc
		default_tgs_enctypes = des-cbc-crc

	[realms]
	        ATHENA.MIT.EDU = {
	                kdc = kerberos.mit.edu:88
	                kdc = kerberos-1.mit.edu:88
	                kdc = kerberos-2.mit.edu:88
	                kdc = kerberos-3.mit.edu:88
	                admin_server = kerberos.mit.edu
	                default_domain = mit.edu
	        }
	        MEDIA-LAB.MIT.EDU = {
	                kdc = kerberos.media.mit.edu
	                admin_server = kerberos.media.mit.edu
	        }

	[domain_realm]
		.mit.edu = ATHENA.MIT.EDU
		mit.edu = ATHENA.MIT.EDU
		.media.mit.edu = MEDIA-LAB.MIT.EDU
		media.mit.edu = MEDIA-LAB.MIT.EDU

	[v4 realms]
	        ATHENA.MIT.EDU = {
	                kdc = kerberos.mit.edu
	                kdc = kerberos-1.mit.edu
	                kdc = kerberos-2.mit.edu
	                kdc = kerberos-3.mit.edu
	                admin_server = kerberos.mit.edu
	                default_domain = mit.edu
	                string_to_key_type = mit_string_to_key
	        }
	        UMICH.EDU = {
	                kdc = kerberos.umich.edu
	                admin_server = kerberos.umich.edu
	                default_domain = umich.edu
	                string_to_key_type = afs_string_to_key
	        }

	[v4 domain_realm]
		.mit.edu = ATHENA.MIT.EDU
		mit.edu = ATHENA.MIT.EDU
		.umich.edu = UMICH.EDU
		umich.edu = UMICH.EDU

The [libdefaults] section describes what the default behavior of the Kerberos libraries should be. You should always fill in the default realm. If you have Kerberos v5 at your site, you should also copy any other [libdefaults] from your site's krb5.conf or krb5.ini.

The [realms] and [domain_realm] sections refer to Kerberos v5 realms. If your site is v4-only you should omit these sections. Otherwise just copy these sections from your site's krb5.conf or krb5.ini.

The [v4 realms] and [v4 domain_realm] sections refer to Kerberos v4 realms. If your site is v5-only you should omit these sections. Otherwise you will need to create entries for each of the Kerberos v4 realms at your site. You must supply a Kerberos v4 string_to_key_type for each realm. Currently the type can be either mit_string_to_key or afs_string_to_key. If your site uses a different string_to_key function, please send us mail at krbdev@mit.edu.

About the Kerberos Login Library Preferences

Kerberos Login Library preferences are stored in the 'KrbL' 128 resource. The defaults which are used to generate a Kerberos Preferences file when one does not exist are stored in the same resource inside the Kerberos Library shared library file.

Kerberos Login Library preferences should be changed using the Kerberos control panel's "Edit Favorite Realms" and "Preferences" dialogs (under the "Edit" menu). Make sure you add each realm you wish to use to your favorite realms, so you can select those realms from the Login dialog.

When configuring Kerberos for Macintosh for a site, you may want to include information for lots of realms in the Kerberos configuration, but only have a few "common" realms appear in the popup realms menu. Users can then add the "uncommon" realms they want to use to their favorite realms using the Kerberos control panel.

Creating the Kerberos Library Configuration for Your Site

Once you have created a Kerberos Preferences file which contains the defaults for your site and tested it, you should create an Kerberos Library which can create those defaults.

You need ResEdit or Resourcerer for these instructions. Using Resourcerer is easier, and resource templates are only provided in Resorcerer format.

If you have Resourcerer:

  1. Using your process watcher of choice, such as DragThing, quit Kerberos Ticket Keeper running in the background.
  2. Open Kerberos Library and your Kerberos Preferences in ResEdit or Resorcerer.
  3. Copy the 'KrbL' 128 resource from Kerberos Preferences into Kerberos Library (replacing the existing one). Make sure the System Heap bit of the 'KrbL' 128 resource is on.
  4. Copy the data fork from Kerberos Preferences, changing the type and ID to 'pfdf' 128.
  5. Copy the new 'pfdf' resource into Kerberos Library.
  6. Save your new site-configured Kerberos Library.
  7. Move your existing Kerberos Preferences files out of the System's Preferences folder or Application Support folder.
  8. Launch the Kerberos control panel. This will force Kerberos Ticket Keeper to be relaunched automatically and the default preferences to reinitialized. Test the new default preferences. (The new default preferences will probably only have the Kerberos configuration information in the data fork - there will be no resources until you make a change from the defaults.)
  9. Make your installer, test and distribute to users!

If you have ResEdit:

  1. Using your process watcher of choice, such as DragThing, quit Kerberos Ticket Keeper running in the background.
  2. Open Kerberos Library and your Kerberos Preferences in ResEdit or Resorcerer.
  3. Copy the 'KrbL' 128 resource from Kerberos Preferences into Kerberos Library (replacing the existing one). Make sure the System Heap bit of the 'KrbL' 128 resource is on.
  4. Open the preferences file containing your preferred realm configuration information in a text editor, such as BBEdit.
  5. Select all the text, and copy it to the clipboard.
  6. Switch back to Kerberos Library in ResEdit.
  7. Open the 'pfdf' ID 128 resource, so that the hex data is showing on screen.
  8. Click once in the rightmost column, where the text equivalent of the hex data is.
  9. Select all. The entire rightmost column should be selected.
  10. Paste. This places the text from the clipboard into the resource.
  11. Close the resource.
  12. Save your new site-configured Kerberos Library.
  13. Move your existing Kerberos Preferences files out of the System's Preferences folder or Application Support folder.
  14. Launch the Kerberos control panel. This will force Kerberos Ticket Keeper to be relaunched automatically and the default preferences to reinitialized. Test the new default preferences. (The new default preferences will probably only have the Kerberos configuration information in the data fork - there will be no resources until you make a change from the defaults.)
  15. Make your installer, test and distribute to users!

Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/11/18 22:03:37 $
Last modified by $Author: smcguire $