http://www.nickdawson.net/nickdawson/find-me/ From Virginia and many fine airports. Healthcare administration, foodie, music buff and fan of all things porcine, skis backwards Wed, 01 Sep 2010 07:52:00 +0000 hourly 1 http://wordpress.org/?v=3.0.1 http://www.nickdawson.net/nickdawson/find-me/comment-page-1/#comment-57 Pablo Fri, 27 Feb 2009 06:22:26 +0000 #comment-57 Hey, thank you for the quick response. I want my linux box to be the KDC and allow authentication to my netatalk shares via GSSAPI. Here's the problem: I believe you are aware that now every leopard machine has an on-demand kdc (local KDC or LKDC) which is in use when the machine is not bound to an OpenDirectory server. Apparently it is meant to enable single sign on in a peer to peer way, and secure their MobileMe services. When bound to a mac os x server, the client mac pulls all its Kerberos realm info from its opendirectory db and behaves in a standard MIT way. It is also possible to bind a mac to a standard unix ldap directory service (RFC 2307, like a debian box like mine does), and authenticate with it, no problem there. Edit your edu.mit.Kerberos file, and there you go. SSH and LDAP mac clients do GSSAPI auth against my debian box with no problems. Now the finder completely crashes when authenticating to netatalk+uams_gss.so. The finder hands over auth to an agent called NetAuthAgent, and if not bound to a mac server, it ignores the edu.mit.Kerberos file and uses the LKDC config, stored somewhere in the local directory service. Short of spending hours reproducing an opendirectory on my linux ldap server (storing krb5.conf as plists in ldap records), I'd rather play it nice with the mac, and just advertise kerberos with avahi, like a mac does (<a href="http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man8/kdcmond.8.html#//apple_ref/doc/man/8/kdcmond" rel="nofollow">http://developer.apple.com/DOCUMENTATION/Darwin...</a>). Using the standard dns fallback way is cumbersome without full BIND9 stack. How did you patch avahi? How does your avahi.service file looks like? Did you leave your mac's LKDC intact? I know, lots of questions... I dont expect all the answers of course, just some pointers. I haven't seen any other post claiming success so far in doing this besides yours! Hey, thank you for the quick response. I want my linux box to be the KDC and allow authentication to my netatalk shares via GSSAPI. Here's the problem: I believe you are aware that now every leopard machine has an on-demand kdc (local KDC or LKDC) which is in use when the machine is not bound to an OpenDirectory server. Apparently it is meant to enable single sign on in a peer to peer way, and secure their MobileMe services. When bound to a mac os x server, the client mac pulls all its Kerberos realm info from its opendirectory db and behaves in a standard MIT way. It is also possible to bind a mac to a standard unix ldap directory service (RFC 2307, like a debian box like mine does), and authenticate with it, no problem there. Edit your edu.mit.Kerberos file, and there you go. SSH and LDAP mac clients do GSSAPI auth against my debian box with no problems. Now the finder completely crashes when authenticating to netatalk+uams_gss.so. The finder hands over auth to an agent called NetAuthAgent, and if not bound to a mac server, it ignores the edu.mit.Kerberos file and uses the LKDC config, stored somewhere in the local directory service. Short of spending hours reproducing an opendirectory on my linux ldap server (storing krb5.conf as plists in ldap records), I'd rather play it nice with the mac, and just advertise kerberos with avahi, like a mac does (http://developer.apple.com/DOCUMENTATION/Darwin...). Using the standard dns fallback way is cumbersome without full BIND9 stack. How did you patch avahi? How does your avahi.service file looks like? Did you leave your mac's LKDC intact? I know, lots of questions… I dont expect all the answers of course, just some pointers. I haven't seen any other post claiming success so far in doing this besides yours!

]]> http://www.nickdawson.net/nickdawson/find-me/comment-page-1/#comment-56 Nick Thu, 26 Feb 2009 12:51:05 +0000 #comment-56 Pablo - I migrated my site to WordPress a few months ago, and it broke several links... bear with me and I'll find you some documentation in the next day or two. One thing I can suggest is checking out the MIT documentation on Kerberos. Its not as bad as it sounds, they have some pretty easy to follow examples. Which box is your KDC (server), linux or OSX? Pablo – I migrated my site to WordPress a few months ago, and it broke several links… bear with me and I'll find you some documentation in the next day or two. One thing I can suggest is checking out the MIT documentation on Kerberos. Its not as bad as it sounds, they have some pretty easy to follow examples. Which box is your KDC (server), linux or OSX?

]]> http://www.nickdawson.net/nickdawson/find-me/comment-page-1/#comment-55 Pablo Thu, 26 Feb 2009 12:35:37 +0000 #comment-55 Hi, I've been trying to get Kerberos working with AFP between my Linux and OSX boxes, and you seem to have managed it. I've been trying to access the link you posted (<a href="http://forums.macosxhints.com/archive/index.php/t-80265.html" rel="nofollow">http://forums.macosxhints.com/archive/index.php...</a>), but its gone, and it's nowhere to be found. Perhaps you could post it again?<br>-tx Hi, I've been trying to get Kerberos working with AFP between my Linux and OSX boxes, and you seem to have managed it. I've been trying to access the link you posted (http://forums.macosxhints.com/archive/index.php...), but its gone, and it's nowhere to be found. Perhaps you could post it again?
-tx

]]>