 |
Macintosh Development |
[Home]
[About Us]
[People]
[Information Systems]
[Kerberos for Macintosh]
[Applications]
[Miscellaneous Documentation]
|
Macintosh Development |
[Home]
[About Us]
[People]
[Information Systems]
[Kerberos for Macintosh]
[Applications]
[Miscellaneous Documentation]
|
Enabling the Kerberos Login Authenticator on Mac OS X 10.1 |
This document contains information about how to enable and use the Kerberos login authenticator on Mac OS X 10.1.x and Kerberos for Macintosh 4.0.x ONLY.
It does not cover the rewritten authenticator in Mac OS X 10.2. For information about the 10.2 authenticator, see Apple's documentation: Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window.
MIT does not provide documentation or support for the new Mac OS X 10.2 authenticator - please contact Apple if you have questions.
Enabling
Before you begin:
- You must have an administrator account,
- You must have installed a correct working Kerberos configuration file for your site. (For more information see the Preferences documentation.)
1) Set up a Mac OS X user with the same "short name" as your Kerberos username.
The password for this user should be something secure and that you can remember, since this password will be used if your machine is disconnected from the network and cannot communicate with the Kerberos server. You could make it the same as your Kerberos password, although this reduces the security of Kerberos because your password will be stored on the local disk.
2) Open System Preferences.
3) Select the "Login" pane.
4) Select the "Login Window" tab.
5) Uncheck "Automatically log in".
6) From Terminal.app type (all as one line):
sudo defaults write com.apple.loginwindow AuthenticatorBundle /System/Library/Authenticators/Kerberos.loginAuthenticatorThis will ask for your administrator password and then enable the Kerberos login authenticator.
Usage
To use the login authenticator, log out and type your Kerberos username and password into the two editable text fields or click on your user icon and type your password into the editable text field.
If you selected "Show 'Other User' in list for network users", you will need to select "Other User" to see the two editable text fields.
If for some reason the authenticator cannot contact the Kerberos server, or find a network connection, it will fall back and use the local password.
FAQ's
Q: Do I have to have a local account for each user?
A: Not necessarily, although if you only want to set up Kerberos login for you or a few users, it's the simplest approach. Some sites have succeeded in setting up the Kerberos authenticator to work with NetInfo, LDAP, and Active Directory. Further information can be found on the macosxlabs.org Login Authenticators page.Q: Can I mount a user's remote directory using the authenticator?
A: No.Q: Will future versions of the authenticator support these options?
A:The goal for the 10.1 Kerberos authenticator was to get the authenticator that Apple already had in 10.0 working with KfM; the features were determined by what existed beforehand (which was, Kerberos authentication for local accounts only).Apple redesigned the entire authenticator interface in Mac OS X 10.2, and it should provide site-specific hooks for external directory lookups, mounting remote directories, and so forth, in the authentication with Kerberos process. Please consult Apple's Security documentation and Apple for more information.
Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/11/19 20:41:51 $
Last modified by $Author: smcguire $
