Reference: https://www.fnal.gov/docs/strongauth/macadmin.html
Skip to end of metadataGo to start of metadata
Time Synchronization
Kerberos on Mac OS X 10.7 and later
Client Configuration
Now we got the magic krb5.keytab.proxy keyfile at least upload it via Webadmin at the bottom of this tab Web Security - HTTP/s - Advanced Now Login with the testuser on the 'client' mac via open directory and go to. Now we got the magic krb5.keytab.proxy keyfile at least upload it via Webadmin at the bottom of this tab Web Security - HTTP/s - Advanced Now Login with the testuser on the 'client' mac via open directory and go to. To generate a keytab for MIT Kerberos. If you are using MIT Kerberos for authentication, log on to the domain controller computer as a user with administrator permissions and perform the following steps. Use the ktadd on the command line utility to generate the keytab file. Ktadd -k file HTTP/@.
Heimdal Kerberos is shipped as part of Mac OS X (as of the OS X 10.7 'Lion' release). Heimdal Kerberos is an alternate implementation of the Kerberos protocol and (mostly) interoperates with the more common MIT Kerberos (such as installed on NCSA Linux systems).
In order to configure Kerberos on the Macintosh, obtain the NCSA Kerberos configuration file krb5.conf from Kerberos Configuration Information. The current version can be found at The system expects to find this configuration file in one, and only one, of two places. Check for the existence of either of the following two files. (/etc is a private directory, requires root privileges):
/etc/krb5.conf
/Library/Preferences/edu.mit.Kerberos
The recommended practice is to rename the file to /etc/krb5.conf. If the second file (edu.mit.Kerberos) is present it needs to be deleted.
Make sure the Kerberos configuration file only exists in one of these two places!
Make sure the Kerberos configuration file only exists in one of these two places!
If you commonly work from behind a NAT (Network Address Translation) router, as is typical of many cable and DSL internet users, you should also add to the [libdefaults] section of the Kerberos configuration the following line:
noaddresses = TRUE
Once you have set up Kerberos, you have:
- Kerberized telnet and ssh clients
- A Kerberized ssh server (if you complete the steps outlined in below)
You will not have Kerberized ftp, rlogin, and rsh.
Kerberos Login and Screen Saver
![How To Generate Keytab File For Mac How To Generate Keytab File For Mac](https://i.ytimg.com/vi/ogcC4ptVNwQ/maxresdefault.jpg)
To use Kerberos for local login and screen saver the following configurations are necessary.
/etc/pam.d/authorization
# authorization: auth account
auth optional pam_krb5.so use_first_pass use_kcminit default_principal
auth sufficient pam_krb5.so use_first_pass default_principal
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
/etc/pam.d/screensaver
# screensaver: auth account
auth optional pam_krb5.so use_first_pass use_kcminit default_principal
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
To permit Kerberos password to be used to sudo:
/etc/pam.d/sudo
# sudo: auth account password session
auth sufficient pam_krb5.so try_first_pass default_principal
auth required pam_opendirectory.so use_first_pass
account required pam_permit.so
password required pam_deny.so
How To Generate Keytab File In Java
session required pam_permit.so
AFS Client
- For AFS access: Download the latest release of OpenAFS from OpenAFS.org site, selecting the version for your Mac OS X version.
- During the install, the OpenAFS Client Cell panel prompts for the default AFS cell. Enter 'ncsa.uiuc.edu' to connect to the NCSA AFS cell and 'ncsa' as the Cell Alias.
- Alternatively, go to /var/db/openafs/etc/ (requires root privileges) and edit the ThisCell file so that it contains only a single line containing the text 'ncsa.uiuc.edu'.
- Restart your computer.
Authenticate to Kerberos
To authenticate, use either the command line kinit as you would on a Linix system, or use the OS X GUI application Ticket Viewer.
Command Line kinit
Open a terminal window and run the command kinit. See section 12.1 kinit. If you are using AFS, run the aklog command after the kinit in order to get the necessaary AFS token.
GUI
- Open Keychain Access (also in the /Applications/Utilities folder)and select Ticket Viewer from under the Keychain Access menu.
- Click Add Identity in the Ticket Viewer.
- Check that your username is right and the realm is NCSA.EDU. Enter your Kerberos password and click OK.
- You'll see your principal name appear and a Time Remaining for your tickets. You can click the triangle to reveal a list of the tickets.
- Now you are ready to connect to a Linix system with ssh. You can quit the Kerberos GUI application without losing your tickets.
SSH Server Configuration (To be able to Connect to your Macintosh with GSSAPI Authentication)
In order to setup your Macintosh for incoming SSH connections that comply with NCSA Security policies, you will need to edit /etc/sshd_config and make the following settings as listed here (you might also need to uncomment lines by removing the leading '#'.
If your Mac is a DHCP client, make sure it gets a stable hostname when connected. Go to System Preferences, click Network, choose each network interface in turn that you intend to use (probably just 'Ethernet' and 'Airport'or 'Wi-Fi'). For each one, click Advanced, go to the TCP/IP tab, and fill in the 'DHCP Client ID' box with just your hostname (not the fully qualified name). For example, let's suppose you've registered your Macintosh with the hostname fondulac. Just put fondulac in the box, even though your full domain name is fondulac.ncsa.illinois.edu.
Send a email to [email protected] to request a 'host principal' and provide the fully qualified domain name (i.e. fondulac.ncsa.illinois.edu).
Once you get email back with an initial host principal password, you need to create a keytab file to hold the principal key but you will not be able to do this on your Macintosh because the Heimdal-based kadmin utility present on the Macintosh will not inter-operate with the kadmin server on the Master KDC. Instead you will have to log into a Linux system and create the keytab there and then securely transport the file back to your Macintosh where it will be stored as the file /etc/krb5.keytab (you can use the SSH file copy utility scp to accomplish this).
On the Linux system, run this command:
Send a email to [email protected] to request a 'host principal' and provide the fully qualified domain name (i.e. fondulac.ncsa.illinois.edu).
Once you get email back with an initial host principal password, you need to create a keytab file to hold the principal key but you will not be able to do this on your Macintosh because the Heimdal-based kadmin utility present on the Macintosh will not inter-operate with the kadmin server on the Master KDC. Instead you will have to log into a Linux system and create the keytab there and then securely transport the file back to your Macintosh where it will be stored as the file /etc/krb5.keytab (you can use the SSH file copy utility scp to accomplish this).
On the Linux system, run this command:
Provide the password when prompted -- it can only be used one time. If successful the terminal will display a message to the effect of 'Entry for principal host/fondulac.ncsa.illinois.edu ... added to keytab fondulac.keytab.' Use a secure method to transfer fondulac.keytab to your Macintosh to be saved as /etc/krb5.keytab.
Open System Preferences, pick 'Sharing', click 'Remote Login' to enable incoming SSH. Make sure your correct hostname (not the fully qualified name) is in the Computer Name field.
Add a .k5login file to the home directory of any account to which you want to be able to log in remotely, and include the appropriate principals which are allowed to log into the account. (full principal name with no spaces along with the Kerberos realm name in upper case). This file must be writable only by the account itself and/or root.
Add a .k5login file to the home directory of any account to which you want to be able to log in remotely, and include the appropriate principals which are allowed to log into the account. (full principal name with no spaces along with the Kerberos realm name in upper case). This file must be writable only by the account itself and/or root.
Run kinit on your workstation and acquire a Kerberos ticket. This will then permit you to connect to the OSX server with ssh.
SSH Server Configuration (To be able to Connect to your Macintosh with Kerberos password Authentication)
To permit the use of ssh with Kerberos passwords the following modification of the pam configuration is required.
# sshd: auth account password session
auth sufficient pam_krb5.so try_first_pass default_principal
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_sacl.so sacl_service=ssh
account required pam_opendirectory.so
password required pam_opendirectory.so session
required pam_launchd.so
session optional pam_mount.so
Time Synchronization
If you get the error 'KDC reply did not match expectations' or 'Clock skew too great while getting initial credentials', your computer's date and time are too different than the date and time on the Kerberos server. Should you see this error, make sure your date and time are correct.
On a Macintosh, the Date and Time in the System Preferences or Control Panel has an option for using a network time server. To set the date and time:
- First quit all Kerberos-using applications.
- Follow the instructions to Set the date and time from Apple.
If the problem persists, restart your computer.
-->
Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file that contains the shared secret key of the service. The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.
Syntax
Parameters
View Keytab File
Parameter | Description |
---|---|
/out <filename> |
Specifies the name of the Kerberos version 5 .keytab file to generate. Note: This is the .keytab file you transfer to a computer that isn't running the Windows operating system, and then replace or merge with your existing .keytab file, /Etc/Krb5.keytab. |
/princ <principalname> |
Specifies the principal name in the form host/[email protected]. Warning: This parameter is case-sensitive. |
/mapuser <useraccount> |
Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account. |
/mapop {add|set} |
Specifies how the mapping attribute is set.
|
{-|+} desonly |
DES-only encryption is set by default.
|
/in <filename> |
Specifies the .keytab file to read from a host computer that is not running the Windows operating system. |
/pass {password|*|{-|+}rndpass} |
Specifies a password for the principal user name that is specified by the princ parameter. Use * to prompt for a password. |
/minpass | Sets the minimum length of the random password to 15 characters. |
/maxpass | Sets the maximum length of the random password to 256 characters. |
/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} |
Specifies the keys that are generated in the keytab file:
Note: Because the default settings are based on older MIT versions, you should always use the
/crypto parameter.
|
/itercount | Specifies the iteration count that is used for AES encryption. The default ignores itercount for non-AES encryption and sets AES encryption to 4,096. |
/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST} |
Specifies the principal type.
|
/kvno <keyversionnum> |
Specifies the key version number. The default value is 1. |
/answer {-|+} |
Sets the background answer mode:
|
/target | Sets which domain controller to use. The default is for the domain controller to be detected, based on the principal name. If the domain controller name doesn't resolve, a dialog box will prompt for a valid domain controller. |
/rawsalt | forces ktpass to use the rawsalt algorithm when generating the key. This parameter is optional. |
{-|+}dumpsalt |
The output of this parameter shows the MIT salt algorithm that is being used to generate the key. |
{-|+}setupn |
Sets the user principal name (UPN) in addition to the service principal name (SPN). The default is to set both in the .keytab file. |
{-|+}setpass <password> |
Sets the user's password when supplied. If rndpass is used, a random password is generated instead. |
/? | Displays Help for this command. |
How To Generate Keytab File In Windows
Remarks
How To Generate Keytab File For Mac Free
-
Services running on systems that aren't running the Windows operating system can be configured with service instance accounts in AD DS. This allows any Kerberos client to authenticate to services that are not running the Windows operating system by using Windows KDCs.
-
The /princ parameter isn't evaluated by ktpass and is used as provided. There's no check to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file. Case-sensitive Kerberos distributions using this Keytab file might have problems if there's no exact case match, and could even fail during pre-authentication. To check and retrieve the correct userPrincipalName attribute value from a LDifDE export file. For example:
Examples
To create a Kerberos .keytab file for a host computer that isn't running the Windows operating system, you must map the principal to the account and set the host principal password.
-
Use the active directory User and computers snap-in to create a user account for a service on a computer that is not running the Windows operating system. For example, create an account with the name User1.
-
Use the ktpass command to set up an identity mapping for the user account by typing:NoteYou cannot map multiple service instances to the same user account.
-
Merge the .keytab file with the /Etc/Krb5.keytab file on a host computer that isn't running the Windows operating system.