Outdated Document
This page is out of date. See
http://computing.help.inf.ed.ac.uk/kerberos-mac-os-x for more up-to-date instructions. Your web browser may take you to that page after 10 seconds. Press the Escape key to stop this from happening.
Using Kerberos on Mac OS X
Using Kerberos on Mac OS X is quite simple although the tool is quite well hidden in the standard installation (
/System/Library/CoreServices/Kerberos.app
or
/System/Library/CoreServices/Ticket Viewer.app
on 10.6) and the Kerberos tools itself has a few quirks (won't work properly until you create a certain file). Luckily MIT have created a package that solves these two problems - Mac OS X Kerberos Extras.
You should download the appropriate version of Mac OS X Kerberos Extras. If you're running 10.5+, then find it
here, if 10.4 or earlier,
here.
Once installed, the Kerberos tool will be available as a symbolic link to the actual location as
/Applications/Utilities/Kerberos.app
(pre 10.6) or
/Applications/Utilities/Ticket Viewer.app
(10.6+). There will also be an example configuration file for Kerberos in
/Library/Preferences/edu.mit.Kerberos
. This is optionally installed by the installer but you don't need it - either deselect the checkbox that installs it, or delete after installation if it causes problems. Note also that it will make changes to your local SSH configuration to allow password-less login.
Using Kerberos on Mac OS X with DICE
Once you have installed
Mac OS X Kerberos Extras start up the Kerberos tool (either
Kerberos.app
or
Ticket Viewer.app
depending on system version (see above)). A window will pop up showing the Kerberos tickets you have (probably none at this point).
Simply click the
New Icon (
Add Identity when using Ticket Viewer on 10.6) to bring up the login window then enter the following details:
- Name
- Your DICE Username.
- Realm
- INF.ED.AC.UK
- Password
- Your DICE password.
Then click
Ok. On
MacOS10 .6+, you will be asked only for your identity and password, for your identity you need to enter:
your_dice_username@INF.ED.AC.UK
The ticket window will now list your active Informatics Kerberos ticket.
If you get a dialog box to the effect that "realm INF.ED.AC.UK is unknown", it may be because the MIT config file /Library/Preferences/edu.mit.Kerberos is blocking self-configuration. To fix this, try just deleting the MIT config file.
Once you have this ticket you can connect to Kerberised Informatics services such as SSH and IMAP without having to re-enter your username and password. Note that Kerberos tickets expire after a finite length of time (usually about 18 hours). Further details on the Informatics Kerberos service can be found in the
Informatics Support Pages.
For Users That Have Entered Realm Details
The previous version of the Mac OS X Kerberos documentation instructed users to use the
Edit -> Edit Realms... option to enter details of the Informatics Kerberos Realm this is
not required and should be avoided. It is better to simply ensure that the
Configure additional realms automatically using DNS option in this configuration dialog is enabled and allow the kerberos libraries to use DNS to automatically discover the required settings.
If you have already entered INF.ED.AC.UK Realm details simply delete them and follow the new instructions above.
Now you are Kerberised...
Why not add Cosign Single-signon capability to your browsers?
You can now also take advantage of
OpenAFS : see
AFSMacOSX for configuration details.
--
TobyBlake - 26 Jun 2012
--
GrahamDutton - 27 Jan 2010