CERN Accelerating science

Main Site Links:

• About
• Misc

Kerberized Mac OSX client setup at CERN

.. or how to get Kerberos ticket (and AFS token) on login and screensaver unlock, instead of using kinit(/aklog).

---

Note:

• This procedure is not: endorsed, supported or tested by CERN MacOS support.
• If not familiar with vi, use nano as your editor.
• If not comfortable with command line tools: do not attempt this.
• If editing errors are made in pam configuration files: that could lead to login problems.
• Feedback is welcome.

---

Prerequisites

• Mac OSX 10.11 El Capitan / 10.10 Yosemite / 10.9 Mavericks / 10.8 Mountain Lion (should work on 10.7 Lion .. NOT tested)
• Working CERN account.
• Mac 'Account name' must be the same as CERN account login id.
  (See: Apple KB article and Apple Support Communities discussion on how to change this)
• Mac account password must be the same as CERN account password.

---

Configuration

• Edit

   sudo vi /etc/krb5.conf

  to contain:

        [libdefaults]
          default_realm = CERN.CH
          forwardable = true
          proxiable = true
          ticket_lifetime = 90000
          renew_lifetime = 432000
  	renewable = true
          # uncomment two lines below if on a laptop .. will shorten to ~ 15 sec 
          # long (60 sec) timeout on login if network is reachable but KDC is not ..
          #kdc_timeout = 5
          #max_retries = 3
          noaddresses = TRUE
          allow_weak_crypto = TRUE 
  
        [realms]
          CERN.CH = {
                  kdc = cerndc.cern.ch
                  #kpasswd_server = cerndc.cern.ch
                  #admin_server = cerndc.cern.ch   
                  default_domain = cern.ch
          }
  
        [domain_realm]
          .cern.ch = CERN.CH
  
        [appdefaults]
          pam = {
             # uncomment next line for AFS tokens, install pam_afs_session.so first!
             #afs_cells=cern.ch 
          }
        

  (Note: This is minimal functional config)
  Remove /Library/Preferences/edu.mit.Kerberos if exists (having both on my system lead to some strange inconsistencies...)
  (This file is used only by native MacOS tools, some 3rd party Kerberos utilities are not aware of it, and all native tools will use /etc/krb5.conf)

• Edit

  sudo vi /etc/pam.d/authorization

  to contain:

        # authorization: auth account
        #auth       optional       pam_krb5.so use_first_pass use_kcminit
        auth       optional       pam_krb5.so debug use_first_pass default_principal
        # uncomment next line for AFS tokens, install pam_afs_session.so first!
        #auth       optional       pam_afs_session.so debug
        auth       optional       pam_ntlm.so use_first_pass
        auth       required       pam_opendirectory.so use_first_pass nullok
        account    required       pam_opendirectory.so

• Edit

  sudo vi /etc/pam.d/screensaver

  to contain:

        # screensaver: auth account
        #auth       optional       pam_krb5.so use_first_pass use_kcminit
        auth       optional       pam_krb5.so debug use_first_pass default_principal
        # uncomment next line for AFS tokens, install pam_afs_session.so first!
        #auth       optional       pam_afs_session.so debug
        auth       required       pam_opendirectory.so use_first_pass nullok
        account    required       pam_opendirectory.so
        account    sufficient     pam_self.so
        account    required       pam_group.so no_warn group=admin,wheel fail_safe
        account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe
        

• You may want to make similar changes in /etc/pam.d/login.

• AFS tokens

  Install OpenAFS first, in System Preferences -> OpenAFS uncheck checkboxes: Get Krb5 credential at login time, use aklog and get credential at login time.

  Note:
  OpenAFS for MacOSX 10.11/10.12 can be obtained from here: OpenAFS Binary Packages / Third Party

  You will also need a modified pam_afs_session module:

  • Precompiled version for MacOSX 10.11 (El Capitan), Universal Mach-O (i386/x86_64) pam_afs_session.so-10.11
  • Precompiled version for MacOSX 10.10 (Yosemite), Universal Mach-O (i386/x86_64) pam_afs_session.so-10.10
  • Precompiled version for MacOSX 10.9 (Mavericks), Universal Mach-O (i386/x86_64) pam_afs_session.so-10.9
  • Precompiled version for MacOSX 10.8 (Mountain Lion) , Universal Mach-O (i386/x86_64) pam_afs_session.so-10.8
  • Precompiled version for MacOSX 10.7 (Lion) , Universal Mach-O (i386/x86_64) pam_afs_session.so-10.7 (NOT tested).

  Note:
  On MaxOSX 10.11 El Capitan the procedure to install is little bit more complicated due to new security mechanism: System Integrity Protection (SIP). (See also in depth SIP description.) In order to install into /usr/lib you will need to temporarily disable SIP.

  Copy downloaded file to: /usr/lib/pam/pam_afs_session.so on your system, correct ownership and remove quarantine extended attribute:

  sudo cp pam_afs_session.so-10.X /usr/lib/pam/pam_afs_session.so
  sudo chmod 444 /usr/lib/pam/pam_afs_session.so
  sudo chown root:wheel /usr/lib/pam/pam_afs_session.so
  sudo xattr -d com.apple.quarantine /usr/lib/pam/pam_afs_session.so
  

  
  (If you prefer to compile it yourself - download sources for version 2.5 from: http://www.eyrie.org/~eagle/software/pam-afs-session/, and apply pam_afs_session-2.5-no-setuid.patch patch, before compiling.)

• Finish configuration

  Restart opendirectoryd:

  sudo launchctl stop com.apple.opendirectoryd
  sudo launchctl start com.apple.opendirectoryd
  

  Logout and Login again.

---

Usage

• Login again, open terminal and check:

  # klist -f
  Credentials cache: API:501
          Principal: jpolok@CERN.CH
  
    Issued                Expires             Flags    Principal
  Feb 27 21:17:49 2013  Feb 28 07:17:48 2013  FPIA   krbtgt/CERN.CH@CERN.CH
  Feb 27 21:17:49 2013  Feb 28 07:17:48 2013  A      afs/cern.ch@CERN.CH
  

  And if you installed also AFS integration:

  # tokens
  
  Tokens held by the Cache Manager:
  
  User's (AFS ID 14213) tokens for afs@cern.ch [Expires Feb 28 07:17]
     --End of list--
  

• Use kerberized ssh without specifying password

  ssh lxplus.cern.ch

  (create ~/.ssh/config first, containing:

  HOST lxplus.cern.ch lxplus
    GSSAPITrustDNS yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
  

  )

• Use kerberized svn client without specifying password

  svn co svn+ssh://svn.cern.ch/reps/REPOSITORY

  (Add to ~/.ssh/config:

  HOST svn.cern.ch svn
    GSSAPITrustDNS yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
  

  )

  Access home directory on CERN DFS without specifying password

  In Finder -> Go -> Connect to Server:
  Enter: cifs://cerndfs.cern.ch/dfs -> Click Connect
  (or command line:

  mount -t cifs cerndfs.cern.ch/dfs /Volumes/dfs

  )

• Use kerberos authentication for CERN Single Sign On in Firefox

  Edit:

  vi ~/Library/Application Support/Firefox/Profiles/XXXXXX.yyyyy/prefs.js

  to contain:

       user_pref("network.negotiate-auth.delegation-uris","cern.ch");
       user_pref("network.negotiate-auth.trusted-uris","cern.ch");
       

  (make sure to quit Firefox first!)
  You may now remove stored passwords (for CERN SSO sites) from Firefox password manager. (Preferences -> Security -> Saved Passwords)

• Use kerberos authentication for Email in Thunderbird

  Edit:

  vi ~/Library/Thunderbird/Profiles/XXXXXX.yyyyy/prefs.js

  to contain:

       user_pref("network.negotiate-auth.delegation-uris","cern.ch");
       user_pref("network.negotiate-auth.trusted-uris","cern.ch");
       

  (make sure to quit Thunderbird first!)
  Next go to Tools -> Account Settings -> Server Settings and change Authentication method to Kerberos/GSSAPI.
  Next got to Tools -> Account Settings -> Outgoing Server (SMTP) -> Edit and change Authentication method to Kerberos/GSSAPI.
  To finish , restart Thunderbird. You may now remove stored passwords from Thunderbird password manager. (Preferences -> Security -> Passwords -> Saved Passwords)

• .....

---

Known problems

• Obtained Kerberos ticket is non renewable (so no kinit -R...) .. and has a 10 hours lifetime (pam_krb5.so does not respect renewable = true - and most of other options specified in /etc/krb5.conf ...)
  Workaround: don't let your session run more than 10 hours ... (just locking and unlocking screensaver will give you fresh ticket

• This configuration fails (silently) to obtain Kerberos ticket if KDC/network is not reachable at the time of login/screen unlock.
  Workaround: locking/unlocking screen. Or make sure network connection is active - observe wifi signal bars if this is on a macbook - it usually takes few seconds to activate..

• User switching breaks things: for new user login everything is OK, but switching back to already logged in user results in ticket not being recreated (seems like another bug in pam_krb5.so ..), old ticket may be still valid but somehow credential cache 'disappears' .. and then 'magically' reappears about 1-2 minutes later ...
  This seem to happen only if one user has kerberos ticket and the other does not, when both have tickets it works fine
  Workaround: locking/unlocking screen .. again.

• CERN password and local MacOS password must be changed to same value at same time.

---

To Do

• Patch and recompile pam_krb5.so from Apple OpenSource site to add 'renewable' option ?

Linuxer rant:
Looking at the sources of pam_krb5.so - this module on Apple systems is *really* primitive comparing to the one on Linux systems.. and it is buggy: using ccache=FILE:/tmp/krb5cc_... as option .. causes a crash in authorization [ no wonder: source shows that it reads the option ans then resets - by hardcoding - cache type to API ... it also does not implement parsing all options from Kerberos config file ...