Reputation: 11597
MacOS Sierra & Kerberos
I am running MacOs High Sierra 10.13
I need to remotely access a kerberised web UI (Hadoop Cluster / Ambari / Oozie Service UI to be specific)
For that I first need to edit/configure the kerberos conf file to add the realm before calling kinit properly. I looked thoroughly, the Kerberos configuration file is not present in the system : Not a trace anywhere of a file called "edu.mit.Kerberos" not "krb5.conf".
But still, calling kinit outputs this :
user@MBP:~$ kinit
kinit: krb5_get_default_principal: Configuration file does not specify default realm
I am really curious where the configuration file is hidden if it ever exists.
Anyway, I tried creating both /etc/krb.conf and /Library/Preferences/edu.mit.Kerberos with my realm configuration but I keep getting the same output.
I am not even sure kerberos is installed by default properly on this version of MacOS, but I do have klist and kinit commands natively in usr/bin.
I also tried to unload / reload the kerberos service but the corresonding plist files are also non existent
sudo launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist
sudo launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist
sudo launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist
sudo launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist
all give
No such file or directory
I consulted the official MIT Documentation here and here but it didn't really help. The'y also advice to use "Mac OS X Kerberos Extras" Utility, but I am a terminal guy, I really prefer to understand what I am doing and where the conf files are and what is really happening.
Any help or decent documentation is welcome. Thanks
Upvotes: 1
Views: 5234
Answers (2)
Reputation: 748
At some point, Apple renamed the Kerberos launchdaemons to live under com.apple, for example, com.apple.Kerberos.kcm.plist for the credential-cache daemon.
Upvotes: 2
Reputation: 998
We've had some experience of this and the 'lean' docs where I'm based...
You can write /etc/krb5.conf with eg:
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
NODE.EXAMPLE.COM = {
kdc = tcp/example.com:port
}
In our case we're connecting over ssh so I have: kdc = tcp/localhost:11006 where that tunnels to the box/port running kdc. Then kinit USERNAME@REALM
https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication may be helpful after that.
Upvotes: 2
Related Questions
- Kerberos 5 Application Server
- Kerberos issue in Mac
- SSH/Kerberos not working on OSX
- Mac OS X - kinit not using /etc/krb5.conf
- Use active kerberos session(s) for authentication in cntlm for Mac
- Some simple questions about Kerberos
- Kerberos: kadmin not working properly
- Installation of Kerberos5-1.12.1
- Kerberos and Kerberos Realms
- kerberos ENC-TC