Getting a Mac to use the DICE Infrastructure

This page is now very old. To find out about using DICE services from more recent versions of MacOS go straight to http://computing.help.inf.ed.ac.uk/self-managed-macos.

This document attempts to pull together all the information needed to integrate a Mac, running Mac OS X 10.5 (and earlier) with the DICE infrastructure. In particular, authentication, home directory access and directory services. Parts of this document may also apply to newer versions of OS X.

This document is really aimed at the sysadmin audience, rather than the average user. You will need to be an Admin user to make many of these changes. Be warned that some changes, for instance modifying /etc/authorization, can have serious implications if mistakes are made - it is possible you may stop your Mac from booting properly. For this reason, it's a very good idea to make a backup copy of the /etc/authorization file before you edit it. Proceed with caution! All changes are made at your own risk.

Directory Services (LDAP)

MacOS X can be configured to query the Informatics LDAP service for directory information (e.g. user, group data). This is done using the Directory Utility (10.5) or Directory Access (10.4 and earlier) application (located in /Applications/Utilities). Launch the application and click on the lock to authenticate before making the following changes...

  • Select LDAPv3 and click on Configure
  • Click on the New button and enter dir.inf.ed.ac.uk for the Server Name or IP address. Leave the checkboxes at their default settings and click Continue.
  • Select a template of RFC 2307 (Unix) and enter a Searchbase of dc=inf,dc=ed,dc=ac,dc=uk
  • Before quitting the Directory Access application, ensure that the LDAPv3 checkbox is enabled.

Authentication/Authorization (Kerberos, etc.)

Follow steps in the MacOSXKerberos document, for downloading the Kerberos Extras package.

This will install a kerberos configuration file /Library/Preferences/edu.mit.Kerberos. Although kerberos will still work for most cases with this default version of the file installed, for a version of this file with settings more appropriate for Informatics, copy the file /etc/krb5.conf from a DICE machine to /Library/Preferences/edu.mit.Kerberos.

The Mac can also be set up to automatically obtain a Kerberos ticket when logging in.

Note that the instructions here apply only to Leopard (10.5) This page used to contain instructions for previous versions of OSX, but it was unclear which versions the instructions applied to. Rather than give potentially false information, I have removed them. If you want to configure a 10.5 Mac accordingly, get in touch with support and we'll point you towards relevant instructions.

Firstly, ensure that the Login Window is shown once the Mac has booted (as opposed to automatically logging in as a user) - this can be set in the Accounts system preferences pane (click on Login Options).

Edit the file /etc/authorization and locate the following section...

    <key>system.login.console</key>
    <dict>
        <key>class</key>
        <string>evaluate-mechanisms</string>
        <key>comment</key>
        <string>Login mechanism based rule.  Not for general use, yet.</string>
        <key>mechanisms</key>
        <array>
            <string>builtin:smartcard-sniffer,privileged</string>
            <string>loginwindow:login</string>
            <string>builtin:reset-password,privileged</string>
            <string>builtin:auto-login,privileged</string>
            <string>builtin:authenticate,privileged</string>
            <string>HomeDirMechanism:login,privileged</string>
            <string>HomeDirMechanism:status</string>
            <string>MCXMechanism:login</string>
            <string>loginwindow:success</string>
            <string>loginwindow:done</string>
        </array>
    </dict>

Replace the string

builtin:authenticate,privileged
with
builtin:krb5authnoverify,privileged

You can also configure the system so that unlocking your screensaver with a password will renew your kerberos tickets at the same time. First make sure the screensaver password option is enabled in the System Preferences->Security.

Next, locate the following section in /etc/authorization:

    <key>authenticate</key>
    <dict>
        <key>class</key>
        <string>evaluate-mechanisms</string>
        <key>mechanisms</key>
        <array>
            <string>builtin:smartcard-sniffer,privileged</string>
            <string>builtin:authenticate</string>
            <string>builtin:authenticate,privileged</string>
        </array>
    </dict>

Replace the string

builtin:authenticate,privileged
with
builtin:krb5authnoverify,privileged

File Services (AFS, home directory access)

To install and configure the Mac AFS client for file system access follow the instructions in the AFSMacOSX document.

In addition to the basic configuration, you can set up the Mac so that it automatically obtains an AFS token at login time (10.5) or whenever the kerberos ticket is obtained (10.4). The latter method is obviously preferable, but seems not to work under 10.5.

10.5 AFS configuration

AFS Commander adds an OpenAFS System Preferences pane which allows you to configure various aspects of AFS. One of the options allows you to automatically get an AFS token at login time.

10.4 (and earlier) AFS configuration

In addition to the basic configuration, you can set up the Mac so that it automatically obtains an AFS token whenever the kerberos ticket is obtained. To do this you will need to download the afslog.loginLogout plug-in from /afs/nada.kth.se/home/staff/ragge/out/test/. The version at the time of writing is 0.0.2b2. To install, follow the instructions in the README.txt file. Remember to make the changes detailed for the edu.mit.Kerberos file.

Printing

using CUPS

CUPS is the new recommended method for printing from a self-managed Mac, though documentation is pending review. Contact support if you'd like more information on the basic instructions below.

On a Desktop (on-site)

If you have a desktop Mac on the Informatics network you can configure it as a cups client by creating the file /etc/cups/client.conf as root and inserting

 ServerName infcups.inf.ed.ac.uk
It may take a few minutes for the printer information to propagate. Doing 'lpstat -p' will list all informatics printers and they also appear in the System Preferences and e.g. Safari print menu etc.

PLEASE NOTE The above option does not presently work under OS X 10.7 ("Lion"). A solution is being investigated. In the meantime the below is recommend for all:

On a Laptop or mobile Mac

If you have a laptop which uses printers elsewhere the above instructions may hide or overwrite existing printers and prevent others from being configured, so to configure additional Informatics printers individually follow the instructions below.

Note that the print server can be used only from a local Informatics (cabled) or VPN connection, and not from 'central' wireless unless some form of tunnelling is used. Recommended is the Informatics OpenVPN service.

  • Open "System Preferences"
  • Choose "Print & Fax"
    • Click on + to add a printer
    • Click on the "IP" globe to select a CUPS printer
    • Set the details as follows:
      • Protocol: Internet Printing Protocol (IPP)
      • Address: infcups.inf.ed.ac.uk
      • Queue: printers/ (e.g. printers/if513m1). A list of all printers, including location can be found at: http://infcups.inf.ed.ac.uk:631/printers/
      • Name, Location: Whatever you like, e.g. "IF5 LJ4015", "IF-5.13"
      • Print Using: See Drivers below for details.
    • Click 'add' and your printer should now be available.
    • If you are adding one of the MFDs (Xerox ):
      • Select Options and Supplies
      • Select Driver
      • In the Finisher Menu, select Office Finisher LX

using SMB

Note that Samba printing is no longer recommended since the introduction of the CUPS service. However, smb printing for existing users will continue to be available until further notice.

Drivers

  • HP LaserJet 4015: Specific PPDs do not seem to be available for these printers at present. Use another printer if specific features are needed, otherwise the Generic Postscript driver should meet most normal needs.
  • HP LaserJet (42xx, 43xx, 46xx series): These Informatics LaserJet and Color LaserJet printers are supported natively by Apple. Choose the driver from the 'Select a driver to use...' driver selection.
  • Xerox MFD Printers: Go here, click on the link for MAC 10.x Driver for WC75xx Series with the built-in controller, and click on the 'accept' button. This will download a disk image. When installing the printer, choose Xerox WC 7535 from the 'Select a driver to use...' driver selection. See the notes below. These drivers will work for Mac-OS 10.6 and newer.

Alternatively, BEFORE you start selecting a driver, download its PPD and place it in /Library/Printers/PPDs/Contents/Resources/; it will now appear in the 'Select a driver to use...' dialog, removing the need to find the PPD for each new printer.

Note that, to download PPD files, you will need to right-click and choose 'save' on some browsers -- simply clicking on the file will display its source.

Xerox notes

Under Mac-OS 10.7, when sending a job to a Xerox printer, all the preamble files the driver sends to the printer will appear in the print queue. The outcome of this is that it look like you have sent 7 jobs to the queue rather than one. This is a known bug which will hopefully be fixed in due course.


-- GrahamDutton - 10 Sep 2008 -- TobyBlake - 06 Mar 2009 -- CraigStrachan - 18 Jul 2012

Topic attachments
I Attachment Action Size Date Who Comment
elsePPD CNRC288X1.PPD manage 106.3 K 10 Sep 2008 - 14:42 GrahamDutton Canon PostScript printer definition for Mac OS X 10.4-10.5
Topic revision: r38 - 06 Jan 2014 - 15:38:41 - ChrisCooke
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies