Outdated Document

This page is out of date. See http://computing.help.inf.ed.ac.uk/kerberos-mac-os-x for more up-to-date instructions. Your web browser may take you to that page after 10 seconds. Press the Escape key to stop this from happening.

Using Kerberos on Mac OS X

Using Kerberos on Mac OS X is quite simple although the tool is quite well hidden in the standard installation ( /System/Library/CoreServices/Kerberos.app or /System/Library/CoreServices/Ticket Viewer.app on 10.6) and the Kerberos tools itself has a few quirks (won't work properly until you create a certain file). Luckily MIT have created a package that solves these two problems - Mac OS X Kerberos Extras.

You should download the appropriate version of Mac OS X Kerberos Extras. If you're running 10.5+, then find it here, if 10.4 or earlier, here.

Once installed, the Kerberos tool will be available as a symbolic link to the actual location as /Applications/Utilities/Kerberos.app (pre 10.6) or /Applications/Utilities/Ticket Viewer.app (10.6+). There will also be an example configuration file for Kerberos in /Library/Preferences/edu.mit.Kerberos. This is optionally installed by the installer but you don't need it - either deselect the checkbox that installs it, or delete after installation if it causes problems. Note also that it will make changes to your local SSH configuration to allow password-less login.

Using Kerberos on Mac OS X with DICE

Once you have installed Mac OS X Kerberos Extras start up the Kerberos tool (either Kerberos.app or Ticket Viewer.app depending on system version (see above)). A window will pop up showing the Kerberos tickets you have (probably none at this point).

Simply click the New Icon ( Add Identity when using Ticket Viewer on 10.6) to bring up the login window then enter the following details:

Name

Your DICE Username.

Realm

INF.ED.AC.UK

Password

Your DICE password.

Then click Ok. On MacOS10 .6+, you will be asked only for your identity and password, for your identity you need to enter:

your_dice_username@INF.ED.AC.UK

The ticket window will now list your active Informatics Kerberos ticket.

If you get a dialog box to the effect that "realm INF.ED.AC.UK is unknown", it may be because the MIT config file /Library/Preferences/edu.mit.Kerberos is blocking self-configuration. To fix this, try just deleting the MIT config file.

Once you have this ticket you can connect to Kerberised Informatics services such as SSH and IMAP without having to re-enter your username and password. Note that Kerberos tickets expire after a finite length of time (usually about 18 hours). Further details on the Informatics Kerberos service can be found in the Informatics Support Pages.

For Users That Have Entered Realm Details

The previous version of the Mac OS X Kerberos documentation instructed users to use the Edit -> Edit Realms... option to enter details of the Informatics Kerberos Realm this is not required and should be avoided. It is better to simply ensure that the Configure additional realms automatically using DNS option in this configuration dialog is enabled and allow the kerberos libraries to use DNS to automatically discover the required settings.

If you have already entered INF.ED.AC.UK Realm details simply delete them and follow the new instructions above.

Now you are Kerberised...

Why not add Cosign Single-signon capability to your browsers?

• dice.inf.ed.ac.uk/units/infrastructure/Documentation/cosign-overview - Firefox
• blob.inf.ed.ac.uk/gdutton/2010/11/chrome-and-spnego - Chrome

You can now also take advantage of OpenAFS : see AFSMacOSX for configuration details.

-- TobyBlake - 26 Jun 2012
-- GrahamDutton - 27 Jan 2010