Kerberos on Mac OS X Frequently Asked Questions
The following is a list of frequently asked questions about Kerberos on Mac OS X 10.2 and 10.3. This information is intended to assist users, support staff and developers who use Kerberos on the Macintosh.
This web page contains FAQs for Kerberos on Mac OS X 10.2 and later only. KfM FAQs for other Mac OS versions are available here.
If you would like to suggest an addition to the FAQ, please send mail to firstname.lastname@example.org
Q: Who should I contact with questions about Kerberos on Mac OS X?
A: Generally, you should contact Apple Computer for support with Kerberos on Mac OS X if your question is not answered here. See the Kerberos for Macintosh Support & Contact Info page for further information.
Q: What version of Kerberos should I use with Mac OS X?
A: Use the Kerberos for Macintosh that ships with the OS. This is the latest version - equivalent to KfM 5.5 in Mac OS X 10.4, KfM 5.0 in Mac OS X 10.3, and KfM 4.5 in Mac OS X 10.2. If you need Kerberos CFM support, download the Mac OS X Kerberos Extras.
Q: What parts of Kerberos are/are not included with Mac OS X?
A: The Kerberos included with Mac OS X 10.2 and later includes the Kerberos framework, command line tools,
the GUI Kerberos management application (although it's hidden away in
/System/Library/CoreServices ), a Kerberos
login authenticator, and support for Kerberos in various applications. The CFM support libraries are not included,
but can be obtained by installing the Mac OS X Kerberos Extras,
which will also put an alias to the Kerberos application in a more convenient location.
No Kerberos configuration information is included with Mac OS X (and only a sample configuration file is included with the Kerberos Extras), you must install a configuration for your site if your site does not have Kerberos auto-configuration/DNS setup (see below for more info).
Q: How do I configure Kerberos on Mac OS X for my site?
A: If your site does not have a Kerberos auto-configuration/DNS configuration (and in some cases, even if it does),
you must copy or create a file called
edu.mit.Kerberos in your
If you are running KfM 5.5 (Mac OS X 10.4), the Kerberos application realms editor graphical interface can be used to edit the realms configuration. Your site may have a localized Kerberos installer that provides this configuration file, you should consult with your
system administrator(s) before attempting to create your own.
The Kerberos configuration information (equivalent to the
krb5.conf on other platforms) should be in the data
fork of this file. We strongly recommend you read the Kerberos Preferences documentation
if you are hand-editing this file.
Q: Eudora, Fetch, and other CFM-based applications won't work with the Mac OS X Kerberos. What's wrong?
A: Mac OS X Kerberos as shipped does not include CFM support. To use the Mac OS X Kerberos with Eudora, Fetch, and other existing CFM-based GUI applications, you should install either the Mac OS X Kerberos Extras.
If you have just upgraded from an older Mac OS X to a newer version (such as from Mac OS X 10.1 to 10.2, or 10.2 to 10.3), you may need to install the latest Mac OS X Kerberos Extras even if you had Eudora and/or Fetch working previously. Note that you do not need to do this if upgrading from 10.3 ot 10.4.
Q: I installed the Mac OS X Kerberos Extras and now Eudora 5.1 won't work at all. What's up?
A: There is an issue with one of the Eudora plug-ins in Eudora 5.1 that causes this. The best way to fix this is to upgrade to Eudora 5.2 or later.
If you cannot upgrade to Eudora 5.2 or later, do the following to fix this: in the Finder, bring up the Finder contextual menu by control-clicking on the Eudora application icon and select "Show Package Contents". When the window pops up with the Contents folders in it, navigate to the Eudora Stuff folder:
Contents -> MacOS -> Eudora Stuff
and remove the
UPPERlower Carbon plug-in (drag it to the desktop or some other storage place).
Close up the Eudora contents window and try again, Eudora should now work. Removing this plug-in removes the
ability to change the selected text to all lowercase, all uppercase, etc. from the Edit menu in Eudora. This bug
will be fixed in a future release of Eudora.
Q: Where is the Kerberos GUI management application?
A: Mac OS X 10.2 and later do actually include the Kerberos management application, it's in
You can either make an alias in a more convenient location, or use the Mac OS X Kerberos Extras
which will make an alias to it in
Q: Is a Kerberized telnet and/or SSH client available for Mac OS X?
A: The Telnet that ships with Mac OS X 10.2 and later has Kerberos support. The SSH that ships with Mac OS X 10.3 and later has Kerberos support (we know of no Kerberized SSH solutions for Mac OS X 10.2).
Q: Is there a Kerberized ftp client available for Mac OS X?
A: Yes, Fetch from FetchSoftworks supports both GSS and KClient (v4) connections on Mac OS X when the CFM support libraries are installed. This is the only Kerberized ftp client we are aware of at this time.
Q: Does Kerberos for Macintosh work with Windows Active Directory?
A: Yes, KfM will successfully authenticate against Windows Active Directory acting as a KDC.
Q: I don't see the realm I need in the Authenticate to Kerberos dialog. How do I add new realms?
A: If the desired realm is not present in the Realms popup list, you can try typing it
into the Realm field. However, this will only work if you have a Kerberos configuration file
edu.mit.Kerberos) that already includes the realm, or your site is set up for auto-configuration/DNS
resolution of Kerberos realms. If typing it in directly does not work, try the Edit Favorite Realms/Edit Realms
dialog in the Kerberos management application. If it's not there, see the next question.
Q: I don't see the realm I need in the Edit Favorite Realms/Edit Realms dialog in Kerberos management application. How do I add new realms?
A: Your site may be configured for auto-configuration (DNS resolution of Kerberos realms. If
this is the case, and you are on Mac OS 10.2 or 10.3, you can just type your realm into the
"Add realm that has auto configuration" field of the Edit Favorite Realms dialog. If this does not work,
you need to edit the
edu.mit.Kerberos preferences file manually. See the Kerberos
Preferences Documentation for information on how to do this. If you are running Mac OS X 10.4 you can use the graphical
Edit Realms dialog to add the realm configuration. Regardless of which version of Mac OS X you are using, you should consult your site
administrator or help desk before adding new realms.
Q: Can I use Kerberos for Macintosh behind a NAT (Network Address Translation)?
A: In some cases, yes. Kerberos 4 does not support addressless tickets, so no Kerberos 4 or KClient-using
application can be made to work behind a NAT. However, Kerberos 5 can be told to use addressless
tickets, which will allow Kerberos 5-using applications to work behind a NAT. However, applications that
use the GSSAPI and require channel bindings, such as FTP, may still not work.
Mac OS X 10.3 and 10.4 get addressless tickets by default, although you can change this setting by setting the "Get tickets without IP addresses" checkbox in the Authenticate to Kerberos dialog (click on the "Show Options" button or choose "Options..." from the pulldown menu to see this checkbox).
In Mac OS X 10.2, can enable addressless tickets by adding the following line to the
libdefaults section of
noaddresses = true
There is no GUI way to enable this feature in Mac OS X 10.2.
Q: Will there be a Kerberos system menu and floating window for Mac OS X?
A: Kerberos for Macintosh for Mac OS X includes equivalent functionality. The dock icon of the Kerberos management application has a key that changes to show your ticket's status, can display the time remaining of the current active user's tickets, and has a pop-up menu for commonly used Kerberos functions.
Q: Can I get a newer release of Kerberos for Mac OS X from MIT?
A: No, any updates to Kerberos for Mac OS X will come from Apple.
Q: How do I enable and use the Kerberos login authenticator in Mac OS X 10.2 and later?
A: See Apple's web page, Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window. Apple wrote the authenticator, and MIT does not provide documentation or support for it. Please send any questions to Apple - see the Kerberos for Macintosh Support & Contact Info page.
Q: How can I uninstall/remove Kerberos for Macintosh?
A: On Mac OS X 10.2 and later, since Kerberos is an integral part of the OS, you should not attempt to remove it.
Q: Is source code for the Kerberos included with Mac OS X available?
A: Yes, source code is available for review from the Apple Darwin Kerberos page.
Q: Is source code for the Kerberos login authenticator available?
A: Please contact Apple with this request. Since Apple wrote the authenticator, MIT does not have control over the source code.