Active Directory Services/OSX
See here: http://weblog.bignerdranch.com/?p=6&page=1
Contents |
[edit] OS X and ADS
Files
- /etc/authorization
- /Library/Preferences/edu.mit.kerberos
- /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist
- /Library/Preferences/DirecoryService/DirectoryService.plist
- /etc/pam.d/ssh (optional)
Packages
Kerberos MIT
Background
This document is intending to provide instructions for authenticating OS X computers with the campus (Case Western Reserve Unveristy) Active Directory. Apple does provide an Active Directory plugin which allows OS X computers the ability to join AD like any other Windows computer. However, due to NTLM2 only authentication, Macs at Case cannot ?join’. The workaround is to use LDAP for usernames and kerberos for passwords thus simulating the same effect as joining an OS X computers to Active Directory.
Quick Instructions
- Install Kerberos
- Edit edu.mit.kerberos and put in /Library/Preferences/
- Edit /etc/authorization
- Configure LDAP
- Edit /etc/pam.d/ssh (optional)
[edit] I. Create edu.mit.kerberos
From a terminal shell, run:
kerberosautoconfig -r INS.CWRU.EDU -m kerberos.cwru.edu
The /Library/Preferences/edu.mit.kerberos file will be created for you automatically.
[edit] II. Edit the authorization file
After the edu.mit.Kerberos file is in place you will need to enable the Kerberos Login Authenticator so that it will check the username and password against the IU Kerberos system, grant access to the workstation and provide a Kerberos ticket. To do this you will need to edit the /etc/authorization file. First make a backup of the file with the command cp /etc/authorization /etc/authorization.bak . If the authorization file is not properly formatted you may not be able to login to your system. If that happens startup in single user mode and you can copy your good authorization file over the bad one.
In the authorization file find the section for the system.login.console key and change the authinternal string to builtin:krb5authnoverify . Below is the section you want to change.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet. builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification. builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication.</string> <key>mechanisms</key> <array> <string>loginwindow_builtin:login</string> <string>authinternal</string> <string>loginwindow_builtin:success</string> <string>builtin:getuserinfo</string> <string>builtin:sso</string> </array> </dict>
Change to the following.
<string>loginwindow_builtin:login</string> <string>builtin:krb5authnoverify</string> <string>loginwindow_builtin:success</string>
[edit] III. LDAP
Open Directory Services (Directory Access in 10.4 and later) in the Utilities folder.
Configure LDAPv3, and click new. Use any configuration name (eg ADS). Use ads.case.edu for Server Name or IP Address. LDAP Mapping should be set to From Server with the search base suffix as, OU=People, dc=ads,dc=case,dc=edu.
Click edit and check use authentication when connecting. Type in your OU admin account information.
[edit] IV. Edit pam.d files
If you desire to use kerberos with any of the pam modules, specifically ssh, then you must edit those files as well. You must also install the pam_krb5.so module in /usr/lib/pam. The module is available at http://www.math.gatech.edu/~villegas/pam_krb5. Below is the configuration for /etc/pam.d/ssh
auth required pam_nologin.so auth sufficient pam_securityserver.so auth sufficient pam_unix.so auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_permit.so password sufficient pam_krb5.so use_authtok password required pam_deny.so session required pam_permit.so