My name is Kraig Schmidt, and I am a member of the Computer Technology staff at the University of Virginia School of Architecture. In our attempt to implement improved security measures for our network, we are trying to Kerberize the login process for all of our public Mac OS X clients. Mr. Ling, I saw your note from March on the kerberos mailing list archive and I though perhaps you might have some advice for the problem we have encountered...
We are using Mac OS 10.2.6, and a Windows 2000 Server for ActiveDirectory and KDC services. We have successfully implemented LDAPv3 against active directory to store our users and their associated information which we use for logging in users (without kerberos).
We set up a KDC on our Windows2000 Server, created client edu.mit.Kerberos files, and have successfully acquired tickets for several users [in Active Directory] via the OS X GUI Kerberos Manager. Modifying the /etc/authorization file on the client has been successful both for acquiring a ticket for the user as a consequence of logon, and verifying users against Active Directory [Options 1 and 2 as discussed in Apple Knowledge Base article 107154.]
We then created a 'user' account in active directory for the client computer [the host] and used Win2000's Ktpass utility to create a host principal and keytab file, which was ftp'd into /etc on the client machine.
c:\>ktpass -princ host/[EMAIL PROTECTED] -mapuser testg4 -pass password -out krb5.keytab
The problem: When we modify the /etc/authorization file to require a valid Kerberos account *prior* to logging on the user [Option 3 in article 107154] we get a loginwindow 'shake' and no login (even though all users and the host 'user' can acquire tickets via the GUI Kerberos Manager).
There is nothing in the Win2000 KDC login/logout audit logs that indicates what might be happening; in fact, each time I attempt to login from a particular host as [let's say] user 'john', I see a failure event (pre-authentication type 0) immediately followed by a success event (pre-authentication type 2) for user 'john' but nothing [failure or success] pertaining to the host from which john is attempting to log on.
I cannot seem to determine how to activate client-side kerberos logging. Adding the [logging] section to the edu.mit.Kerberos file as shown below has not yielded any logging whatsoever.
[logging]
default = FILE:/var/krb5/kdc.log
KDC = FILE:/var/krb5/kdc.logI admit to being utterly perplexed. The materials I've found in the process of doing research are relatively straightforward. Each of the steps was successful in precisely the ways the information indicated until the last step of implementing a valid kerberos connection (for the host) prior to a user's login.
Any information and/or insight into this process would be enormously appreciated. Thanks for your time and assistance...
cheers, kraig schmidt.
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
