Setting up Apple Kerberos Application on Tiger and Leopard

1. Mac Kerberos application

  • Look in /System/Library/CoreServices.
  • Find the “Kerberos” Application
  • Add it to your dock, you will need it a lot
  • Run it
    • Edit -> Realms
      • Click + and add a Realm Name (Settings Tab) “DFUSION.COM.AU”
      • Click Make Default
      • Select Server tab.
      • Add: kdc : : 88 (default port)
      • Add: admin : : 749 (default port) [optional - permits admin from client]
      • Optional (I haven't needed this yet) : kpasswd : : 464
      • Select Domains tab.
      • Optional: Add “” (See note)
    • “Apply” or “OK” – close this dialogue window
Note: If the realm and the domain are the same apart from captialisation then adding a domain explicitly is not needed. Many admins add both "" and "". The version with the leading dot matches any host for the form The version without a leading dot, just matched a host called Since I don't have such a host on the intranet I omitted it. YMMV

2. Obtain your first Ticket!

  • In the main window of Kerberos utility, click “New”.
    • Enter your Mac/server/kerberos username (mine is 'kim').
    • The realm should default to DFUSION.COM.AU.
    • Enter your matching kerberos password (for that you created earlier on the server).
Note: I did NOT tick “remember this password in my keychain” because I want to know when the password is required initially… maybe later.

Now with a bit of luck you have just been authenticated to the Solaris server.
If so Yay!!! Pat yourself on the back. If not I’m afraid I have no troubleshooting advice yet because it did actually work for me first time.
You will see in the Kerberos utility window that you have by default 8 hours left on your login/tgt. The TGT is your ticket granting ticket.
The ticket you have is labeled "krbtgt" and is known generically as the Ticket Granting Ticket (TGT).
It’s your master ticket that get you access to other things. Read kerberos manuals to understand more.

Once the 8 hours has expired you will automatically get another TGT up to a system configured limit (after which you need to authenticate again).
You can use the Kerberos appliation to log in, renew or destroy a your Kerberos session (tickets).
You can also log in as a second user and swap between identities using the top left listbox. However I strongly recommend you don't try this until you're quite comfortable with Kerberos because it can cause problems.

The Kerberos application preferences are worth looking at.
You can close the kereberos window, it sits in the doc and indicates how much time is left on the TGT.

Command Line Utilities

OS X also has a full complement of kerberos command line tools:
  • kinit -p kim gets a ticket for principal kim (just like gui)
  • klist shows your tickets
  • kdestroy destroys your tickets
etc - See the man pages.

  • + : A leading plus sign indicates that this word must be present in every object returned.
  • - : A leading minus sign indicates that this word must not be present in any row returned.
  • By default (when neither plus nor minus is specified) the word is optional, but the object that contain it will be rated higher.
  • < > : These two operators are used to change a word's contribution to the relevance value that is assigned to a row.
  • ( ) : Parentheses are used to group words into subexpressions.
  • ~ : A leading tilde acts as a negation operator, causing the word's contribution to the object relevance to be negative. It's useful for marking noise words. An object that contains such a word will be rated lower than others, but will not be excluded altogether, as it would be with the - operator.
  • * : An asterisk is the truncation operator. Unlike the other operators, it should be appended to the word, not prepended.
  • " : The phrase, that is enclosed in double quotes ", matches only objects that contain this phrase literally, as it was typed.


Related Sites