OS X Lion: Enabling Kerberos authentication with a third-party Key Distribution Center

Learn how to configure OS X Lion to authenticate against a third-party Key Distribution Center (KDC).

1. Per the kbr5.conf(5) manual page, create /etc/krb5.conf with your site-specific information. Here is an example of a basic krb5.conf file:

   [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { admin_server = kdc.example.com kdc = kdc.example.com kpasswd = kdc.example.com }

2. In order to obtain a Ticket Granting Ticket (TGT) when logging in via the login window, edit /etc/pam.d/authorization per the pam_krb5(8) manual page. For example, you must add the default_principal option to the pam_krb5.so line if you'll be using user accounts which don't contain a valid AuthenticationAuthority attribute:

   auth optional pam_krb5.so use_first_pass use_kcminit default_principal

3. In order to obtain a Ticket Granting Ticket (TGT) when authenticating to the Screen Saver, edit /etc/pam.d/screensaver per the pam_krb5(8) manual page. As with /etc/pam.d/authorization, you must add the default_principal option to the pam_krb5.so line if you'll be using user accounts which don't contain a valid AuthenticationAuthority attribute:

   auth optional pam_krb5.so use_first_pass use_kcminit default_principal

4. Log out and log back in via the login window as a user whose short name matches the a user principal in the Kerberos database of the KDC specified in /etc/krb5.conf. You should now see that you've obtained a TGT by using the Ticket Viewer application (located in /System/Library/CoreServices) or by executing klist in the Terminal application.

Learn more

Note: This article does not apply if an OS X Server or Active Directory server is being used as the KDC.