CERN Accelerating science

Main Site Links:

• About
• Misc

Kerberized Mac OSX setup - Kerberos keytab creation - the Unix way

---

Note: This is very much work in progress and needs further testing .. let me know if it did or didn't work for you ... Feedback welcome.

---

Prerequisites

• Mac OSX 10.8 Mountain Lion (should work on 10.7 Lion .. NOT tested)
• Mac registered and connected to CERN network - on a NON-PORTABLE socket.

---

Configuration

• Edit

   sudo vi /etc/krb5.conf

  and remove /Library/Preferences/edu.mit.Kerberos as explained in Kerberos client setup.

• Download CERN Root CA and CERN Trusted Certification Authority certificates from CERN CA site (right click in the browser and save in /tmp/).

• Install certificates in system keychain on your MacOS:

  sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain /tmp/CERN\ Root\ CA.crt
  sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain /tmp/CERN\ Trusted\ Certification\ Authority.crt 
  

  You will need the msktutil tool:

  • Precompiled version for MacOSX 10.8 (Mountain Lion) , Universal Mach-O (i386/x86_64) binary: msktutil-10.8
  • Precompiled version for MacOSX 10.7 (Lion) , Universal Mach-O (i386/x86_64) binary: msktutil-10.7 (NOT tested).

  Copy downloaded file to: /usr/bin/msktutil on your system, make it executable, with correct ownership and remove quarantine extended attribute:

  sudo cp msktutil-10.X /usr/bin/msktutil
  sudo chmod 755 /usr/bin/msktutil
  sudo chown root:wheel /usr/bin/msktuil
  sudo xattr -d com.apple.quarantine /usr/bin/msktutil
  

  
  (If you prefer to compile it yourself - download sources for version 2.4 from: http://code.google.com/p/msktutil/.)

• Go to http://network.cern.ch and change your system Operating System to Linux
  Wait at least 15 minutes for the change to be propagated to Active Directory.
  (this is just a temporary hack)

• Execute:

  sudo curl -k --local-port 600-700 https://lxkerbwin.cern.ch/LxKerb.asmx/ResetComputerPassword?service=host
  

  above command will reset Kerberos host identity in Active Directory and return result alike:

   <success>true</success>
   <principalname>host/HOSTNAME.cern.ch</principalname>
   <hostname>HOSTNAME</hostname>
   <samaccountname>SAMACCOUNTNAME$</samaccountname>
   <computerpassword>COMPUTERPASSWORD</computerpassword>
  

  Wait at least 20 seconds for AD data propagation.

• Execute:

  sudo ./msktutil --update --dont-expire-password --server cerndc13.cern.ch --computer-name HOSTNAME --service host --old-account-password COMPUTERPASSWORD --verbose
  

  NOTE: Your system MUST be connected to a NON-PORTABLE ethernet socket at this time, otherwise acquired keytab will be created for portable socket hostname and as soon as your IP changes .. will become not very useful ...)

  that should create/update /etc/krb5.keytab

• Verify the keytab:

  sudo ktutil -k /etc/krb5.keytab list
  /etc/krb5.keytab:
  
  Vno  Type                     Principal                                 Aliases
    6  arcfour-hmac-md5         SAMACCOUNTNAME$@CERN.CH                           
    6  aes128-cts-hmac-sha1-96  SAMACCOUNTNAME$@CERN.CH                           
    6  aes256-cts-hmac-sha1-96  SAMACCOUNTNAME$@CERN.CH                           
    6  arcfour-hmac-md5         host/HOSTNAME.cern.ch@CERN.CH  
    6  aes128-cts-hmac-sha1-96  host/HOSTNAME.cern.ch@CERN.CH  
    6  aes256-cts-hmac-sha1-96  host/HOSTNAME.cern.ch@CERN.CH  
  

  and check its validity:

  sudo kinit -k "SAMACCOUNTNAME$"
  sudo klist
  Credentials cache: API:0:13
          Principal: SAMACCOUNTNAME$@CERN.CH
  
    Issued                Expires               Principal
  Feb 28 09:39:04 2013  Mar  1 10:39:04 2013  krbtgt/CERN.CH@CERN.CH
  

• Go to http://network.cern.ch and change your system Operating System back to MacOSX
  

  As long as your keytab stays valid, you can update it by just using:

  sudo msktutil --update --dont-expire-password --server cerndc13.cern.ch --computer-name HOSTNAME --verbose
  

  And add new service principal using:

  sudo msktutil --update --dont-expire-password --server cerndc13.cern.ch --computer-name HOSTNAME --service HTTP --verbose
  

  See msktutil --help for more information.

---

Usage

• Kerberized sshd

  Enable sshd:

  sudo systemsetup -setremotelogin on
  sudo launchctl start comp.openssh.sshd
  

  (above will enable ssh access for all users, if you want to restrict this, use dseditgroup)

  Edit:

  sudo vi/etc/sshd_config

  uncomment GSSAPI options:

  # GSSAPI options
  GSSAPIAuthentication yes
  #GSSAPICleanupCredentials yes
  #GSSAPIStrictAcceptorCheck yes
  GSSAPIKeyExchange yes
  

  Edit:

  sudo vi /etc/pam.d/sshd

  to contain:

  # sshd: auth account password session
  #auth       optional       pam_krb5.so use_kcminit
  auth       optional       pam_krb5.so use_first_pass default_principal
  # uncomment next line line for AFS tokens, install pam_afs_session.so first!
  #auth       optional       pam_afs_session.so debug
  auth       optional       pam_ntlm.so try_first_pass
  auth       optional       pam_mount.so try_first_pass
  auth       required       pam_opendirectory.so try_first_pass
  account    required       pam_nologin.so
  account    required       pam_sacl.so sacl_service=ssh
  account    required       pam_opendirectory.so
  password   required       pam_opendirectory.so
  session    required       pam_launchd.so
  session    optional       pam_mount.so
  

  (if you wish to enable AFS tokens, please check Kerberos client setup).
  Restart sshd:

  sudo launchctl stop com.openssh.sshd
  sudo launchctl start com.openssh.sshd
  

---

Known problems

• Sometimes msktutil fails with

  --   add_principal_keytab: Using salt of CERNCHhosthostname.cern.ch
  Error: krb5_c_string_to_key failed (Invalid UTF-8 combination in string)
     

  Workaround: run it again - it will work (The salt calculation routine seems to be flaky in 0.4.2 ? .. to be investigated).

---

To Do

• LDAPv3 for accounts ?