Sonntag, 11. März 2012

Get Chrome to work with Kerberos


A lot of stuff regarding Kerberos is broken on Lion. Some say everything. 

One thing that hit us soon after trying out Lion was that Chrome was not working with Kerberos anymore. We found the problem was with the "AuthServerWhitelist" parameter. 

We could fix it for network users with a change in the OD: 
  • Access the opendirectory in the workgroup manager
  • choose your main user group
  • switching to "manage preferences" in the button bar 
  • going to the "Details" tab
  • Press +
  • choose Google Chrome
  • Select "Always"
  • click on "New Key"
  • Enter "AuthServerWhilelist" and give it the string value "*.<yourdomain.com>".
  • Apply, and your done. 

It's more difficult for local users. There you need to access the local directory on the client. 
You can do this in Lion with the building "Open Directory Utility" but it cumbersome. 

I streamlined this by learning a bit of dscl: 

sudo dscl . mcxset /Users/<USER> com.google.Chrome AuthServerWhitelist always '*.<yourdomain.com>'

Replace USER and YOURDOMAIN, enter into terminal. Done.  
Eingestellt von um Keine Kommentare:

Donnerstag, 8. März 2012

Kerberos client config with OD on SL and Lion


I've dived into the murky, two-colored waters of Kerberos on MacOS SL and Lion. Our installation works, but the tickets are issued without the Renewable and Forwardable flags, which complicate usage with Linux. I needed to find a way to config the Kerberos Client on the Macs….

After a lot of searching, I've found that Snow Leopard clients with network users read an Open Directory config entry and uses it as its krb5.conf

This entry is (seen from the OD host (SL Server)): 
/LDAPv3/127.0.0.1/Config/KerberosClient/XMLPlist

You can edit this list with the Inspector tab in your Workgroup Manager (again SL). The entry is formatted as an XML file, but you'll see the similarities to a normal krb5.conf right away. 

Don't forget to increment the GenerationID at the end of the XML to apply changes on your clients. The entries should be applied on the next login but you can enforce the sync by using the tool "kerberosautoconfig".  Add the parameter "-v 4" to it to get some feedback: 

$> sudo kerberosautoconfig -v 4 

Alternatively, you can copy a regular krb5.conf file to the file /Library/Preferences/edu.mit.Kerberos.

Lion Clients ignore the entry in the OD. They hilariously still accept the edu.mit.Kerberos file, even though Lion uses Heimdal Kerberos instead of the MIT flavor. Lion is missing the "kerberosautoconfig" tool as well, but the SL version still runs on Lion. Get the file from somewhere and copy it to "/sbin/".

You can generate a local "/Library/Preferences/edu.mit.Kerberos" file by running: 

$> sudo kerberosautoconfig -f /LDAPv3/<yourODhost>  -v 4

The configuration does not refresh by itself, so you need to run this again if something changed. 
I still have a lot to learn about Kerberos on Mac, I'll keep you posted. 
Eingestellt von um Keine Kommentare:
Abonnieren Posts (Atom)