Setting up Apple Kerberos Application on Tiger and Leopard

1. Mac Kerberos application

  • Look in /System/Library/CoreServices.
  • Find the “Kerberos” Application
  • Add it to your dock, you will need it a lot
  • Run it
    • Edit -> Realms
      • Click + and add a Realm Name (Settings Tab) “DFUSION.COM.AU”
      • Click Make Default
      • Select Server tab.
      • Add: kdc : blackhole.dfusion.com.au : 88 (default port)
      • Add: admin : blackhole.dfusion.com.au : 749 (default port) [optional - permits admin from client]
      • Optional (I haven't needed this yet) : kpasswd : blackhole.dfusion.com.au : 464
      • Select Domains tab.
      • Optional: Add “.dfusion.com.au” (See note)
    • “Apply” or “OK” – close this dialogue window
Note: If the realm and the domain are the same apart from captialisation then adding a domain explicitly is not needed. Many admins add both ".dfusion.com.au" and "dfusion.com.au". The version with the leading dot matches any host for the form hostname.dfusion.com.au. The version without a leading dot, just matched a host called dfusion.com.au. Since I don't have such a host on the intranet I omitted it. YMMV


2. Obtain your first Ticket!


  • In the main window of Kerberos utility, click “New”.
    • Enter your Mac/server/kerberos username (mine is 'kim').
    • The realm should default to DFUSION.COM.AU.
    • Enter your matching kerberos password (for that you created earlier on the server).
Note: I did NOT tick “remember this password in my keychain” because I want to know when the password is required initially… maybe later.

Now with a bit of luck you have just been authenticated to the Solaris server.
If so Yay!!! Pat yourself on the back. If not I’m afraid I have no troubleshooting advice yet because it did actually work for me first time.
You will see in the Kerberos utility window that you have by default 8 hours left on your login/tgt. The TGT is your ticket granting ticket.
The ticket you have is labeled "krbtgt" and is known generically as the Ticket Granting Ticket (TGT).
It’s your master ticket that get you access to other things. Read kerberos manuals to understand more.

Once the 8 hours has expired you will automatically get another TGT up to a system configured limit (after which you need to authenticate again).
You can use the Kerberos appliation to log in, renew or destroy a your Kerberos session (tickets).
You can also log in as a second user and swap between identities using the top left listbox. However I strongly recommend you don't try this until you're quite comfortable with Kerberos because it can cause problems.

The Kerberos application preferences are worth looking at.
You can close the kereberos window, it sits in the doc and indicates how much time is left on the TGT.


Command Line Utilities


OS X also has a full complement of kerberos command line tools:
  • kinit -p kim gets a ticket for principal kim (just like gui)
  • klist shows your tickets
  • kdestroy destroys your tickets
etc - See the man pages.


The original document is available at http://dfusion.com.au/wiki/tiki-index.php?page=Setting+up+Apple+Kerberos+Application+on+Tiger+and+Leopard