Magic Triangle w/Kerberos in OS X 10.6

I was recently handed the task of integrating Mac OS X 10.6 into our so-called Magic Triangle authentication environment. To make things more interesting, Macs here are treated as UNIX workstations, and thus not bound to AD.

A quick search on Google yielded a long discussion on Kerberos support (or not) in Mac OS X 10.6 on RedHat Engineer Vincent Danen’s blog, and eventually to a his Wiki discussing Kerberos on Mac OS X

I’ll summarize the relevant tips here:

  • /etc/krb5.conf is /Library/Preferences/edu.mit.Kerberos on Mac OS X
  • /System/Library/LaunchAgents/com.apple.Kerberos.renew.plist should use -R instead of -B (to auto-renew tickets)

Thanks to Apple’s support of Open Source, I was able to check out the source code for the pam_krb5.so module that they use in OS X 10.6. With this, I was enable to enable debugging in a custom application and determine how to get authentication working.

Apple has some additional tips here: http://support.apple.com/kb/TA20987