Kerberos Preferences on Mac OS X 10.2 Documentation

This web page discusses the edu.mit.Kerberos (Kerberos configuration) file: what's in it, where it goes, and how to configure it for distribution at your site.

The information on this page applies to Mac OS X 10.2 only. For links to preferences documentation for other Mac OS versions, click here.

About the edu.mit.Kerberos File
Setting up a Configuration File Quick Guide
edu.mit.Kerberos File Locations (or, "Why are there two edu.mit.Kerberos files?")
What to Install Where
About Kerberos Configuration Information

About the edu.mit.Kerberos File

The edu.mit.Kerberos file is where the Kerberos v4 and v5 configuration information is stored on Mac OS X. (Formerly the Kerberos Login Library and Kerberos management application preferences were stored in it, but they now have their own preference files: edu.mit.Kerberos.KerberosLogin.plist and edu.mit.Kerberos.KerberosApp.plist.)

The edu.mit.Kerberos file stores this information in its data fork, which contains the realm and server configuration information (the info that would be found in the krb5.conf file on Unix). See the Kerberos Configuration section for more information.

On some systems there may be two edu.mit.Kerberos files. See the edu.mit.Kerberos File Locations section for more information about why this is so.

Setting up a Configuration File Quick Guide

We recommend that you read this entire page. However, if you are in a hurry to get Kerberos for Macintosh up and working:

You need to create an edu.mit.Kerberos file in the /Library/Preferences directory which contains the realm and server configuration information for your site, although:

if you upgraded from Mac OS X 10.1 with Kerberos for Macintosh 4.0, you probably already have a properly configured file and no changes are necessary to use it under Mac OS X 10.2;
if you've run the Mac OS X 10.2 Kerberos Extras installer, you will already have a file in the correct place, but which contains MIT configuration information (which is provided as a guideline);
if you have a functioning Mac OS 9.x Kerberos installation, you can simply copy the Kerberos Preferences file from the Kerberos folder in Application Support from your Mac OS 9 volume to the /Library/Preferences on your Mac OS X volume, and rename it to edu.mit.Kerberos.

If you do not have an edu.mit.Kerberos file:

Create a file named edu.mit.Kerberos in /Library/Preferences, using BBEdit, emacs, or Codewarrior (it must be a plain text file);
Place Kerberos realm and server configuration in the data fork of this file. See the Kerberos Configuration section for the proper format.

Note - while there may also be an edu.mit.Kerberos file in your /Users/username/Library/Preferences directory, you should place your configuration information in the /Library/Preferences location. (See edu.mit.Kerberos File Locations for more details.)

edu.mit.Kerberos File Locations (or, "Why are there two edu.mit.Kerberos files?")

Kerberos for Macintosh supports and looks for two copies of the edu.mit.Kerberos file - a "system" edu.mit.Kerberos file that contains the configuration to be used by all users of the computer, and a "user" edu.mit.Kerberos file, containing additional configuration for an individual user.

The user edu.mit.Kerberos is located in /Users/username/Library/Preferences (where "username" is the name of the user), and the system edu.mit.Kerberos is located in /Library/Preferences .

When KfM reads the configuration file, it first looks for it in the user location, and if it doesn't find it, then looks for one in the system location.

The typical case is to have the Kerberos configuration information in the system configuration file, and no user configuration file. However there may be circumstances where a user wants to have additional realm and server information not shared with other users on the same machine. You can add any additional realm and server configuration information to the user configuration file, and KfM will meld the two sets of information together. You should be careful to avoid duplicate entries - if you have the same entry with different information it is not guaranteed that the user config file will override the system config file (we hope to fix this in a future release), or you may see the same realm listed twice if it is in both files.

Having just a user configuration file and no system configuration file to fall back on is permitted, but not recommended.

What To Install Where

On Mac OS X, the system Kerberos configuration file edu.mit.Kerberos should be placed in /Library/Preferences .

About Kerberos Configuration Information

The Kerberos v4 and v5 configurations are stored in the data fork of edu.mit.Kerberos.

This text is similar to that of krb5.conf on Unix machines or krb5.ini on Windows machines. The configuration tells Kerberos for Macintosh what realms exist, what Kerberos versions are supported by them, and where to find the servers. You should edit this file for your site by opening the edu.mit.Kerberos file in a text editor that will save the file as pure text again (ie: BBEdit, emacs, or CodeWarrior; but not TextEdit or Microsoft Word).

Once you are done editing the edu.mit.Kerberos file, you should reboot or log out, and then you need to use the Edit Favorite Realms feature of the Kerberos management application to add your realms to the pop-up menu in the Login dialog.

Here is an example Kerberos configuration:

	[libdefaults]
		default_realm = ATHENA.MIT.EDU
		noaddresses = TRUE

	[realms]
	        ATHENA.MIT.EDU = {
	                kdc = kerberos.mit.edu.:88
	                kdc = kerberos-1.mit.edu.:88
	                kdc = kerberos-2.mit.edu.:88
	                admin_server = kerberos.mit.edu.
	                default_domain = mit.edu
	        }
	        MEDIA-LAB.MIT.EDU = {
	                kdc = kerberos.media.mit.edu.
	                admin_server = kerberos.media.mit.edu.
	        }

	[domain_realm]
		.mit.edu = ATHENA.MIT.EDU
		mit.edu = ATHENA.MIT.EDU
		.media.mit.edu = MEDIA-LAB.MIT.EDU
		media.mit.edu = MEDIA-LAB.MIT.EDU

	[v4 realms]
	        ATHENA.MIT.EDU = {
	                kdc = kerberos.mit.edu.
	                kdc = kerberos-1.mit.edu.
	                kdc = kerberos-2.mit.edu.
	                admin_server = kerberos.mit.edu.
	                default_domain = mit.edu
	                string_to_key_type = mit_string_to_key
	        }
	        UMICH.EDU = {
	                kdc = kerberos.umich.edu.
	                admin_server = kerberos.umich.edu.
	                default_domain = umich.edu
	                string_to_key_type = afs_string_to_key
	        }

	[v4 domain_realm]
		.mit.edu = ATHENA.MIT.EDU
		mit.edu = ATHENA.MIT.EDU
		.umich.edu = UMICH.EDU
		umich.edu = UMICH.EDU

The [libdefaults] section describes what the default behavior of the Kerberos libraries should be. You should always fill in the default realm. If you have Kerberos v5 at your site, you should also copy any other [libdefaults] from your site's krb5.conf or krb5.ini.

Note that Kerberos for Macintosh does not honor any ticket_lifetime entry in [libdefaults] . The default lifetime that will be used by both the Kerberos Login dialog and kinit is the one you specify in the GUI Kerberos management application preferences, although you can specify a different lifetime when you log in if you want.

The [realms] and [domain_realm] sections refer to Kerberos v5 realms. If your site is v4-only you should omit these sections. Otherwise just copy these sections from your site's krb5.conf or krb5.ini.

The [v4 realms] and [v4 domain_realm] sections refer to Kerberos v4 realms. If your site is v5-only you should omit these sections. Otherwise you will need to create entries for each of the Kerberos v4 realms at your site. You must supply a Kerberos v4 string_to_key_type for each realm. Currently the type can be either mit_string_to_key or afs_string_to_key. If your site uses a different string_to_key function, please send us mail at krbdev@mit.edu.