We have encountered a problem where Lion and Mountain Lion clients are not generating Kerberos tickets at login. This causes problems with single-sign-on (SSO) to network shares as well as with Kerberos enabled applications like SAP.
Apparently Apple's latest version of Kerberos will not automatically request a ticket when a Kerberos enabled application launches. Instead you must either go to Terminal and type "kinit" and enter your password or force a ticket to be generated at login using the following instructions.
Note: in order to correctly authenticate using Kerberos enabled applications like SAP your user name in AD and in the application itself must match. This means that both your SAMAccount name and UPN in must be identical- including the case. Many non-Microsoft instances of Kerberos are case-sensitive.
To generate a Kerberos ticket at login (10.7 and 10.8 clients):
- Open Terminal
- Type "sudo -s" and authenticate as super user
- Navigate to /etc/pam.d
- Type "cp authorization authorization.bak" to make a backup of the authorization file
- Type "pico authorization" to edit the file (you could also use vi or your favourite editor)
auth optional pam_krb5.so use_first_pass use_kcminitAdd the key "default_principal" to the end of the line. For example:
auth optional pam_krb5.so use_first_pass use_kcminit default_principal
- Save the file
- Restart and log back into the computer
- Check that a Kerberos ticket has been generated by opening Terminal and typing "klist"
No comments:
Post a Comment