Mac OSX working K5 config


Under mac OSX 10.10, no luck, DES is disabled by force and aklog will NOT work at least, not until we finish the OpenAFS server upgrade and make sure only the AES keys are available.

Here is what I did set for Mac OSX 10.9 .

(1) Create a /etc/krb5.conf file with the below content

[libdefaults]
 default_realm = RHIC.BNL.GOV
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 432000
 renew_lifetime = 604800
 forwardable = true
 allow_weak_crypto = true
 default_tgs_enctypes = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc

[realms]
 RHIC.BNL.GOV = {
  kdc = rkdc.rhic.bnl.gov
  kdc = rkdc00.rhic.bnl.gov
  kdc = rkdc01.rhic.bnl.gov
  admin_server = rkdc00.rhic.bnl.gov
  default_domain = rcf.bnl.gov
 }


[domain_realm]
 .rhic.bnl.gov = RHIC.BNL.GOV
 rhic.bnl.gov = RHIC.BNL.GOV
 .rcf.bnl.gov = RHIC.BNL.GOV
 rcf.bnl.gov = RHIC.BNL.GOV
Make sure it is EXACTLY as noted above (with one user, I had an addiitonal blank line and al went to hell - that sensitive!).

(2) With the above config, kinit worked out of the box BUT not aklog. Here, I had two cases

2.a On some Mac OSX (I hoped most but for two out of three, this did not work), you need to move aside te file /var/db/openafs/etc/krb5-weak.conf by doing something like
% mv /var/db/openafs/etc/krb5-weak.conf /var/db/openafs/etc/krb5-weak.conf.bak
You can try that first and if it works, we are good to go.

2.b If not and for both kinit and aklog to work, you can force reading the configuration file by making sure you have the environment variable KRB5_CONFIG defined like
KRB5_CONFIG=/etc/krb5.conf ; export KRB5_CONFIG
or
setenv KRB5_CONFIG /etc/krb5.conf


After all of this is done, klist -v should show something like below

% klist -v
Credentials cache: API:F3F8BC0F-70A4-4EF7-BD5A-B94EE3CF7C9E
        Principal: jeromel@RHIC.BNL.GOV
    Cache version: 0

Server: krbtgt/RHIC.BNL.GOV@RHIC.BNL.GOV
Client: jeromel@RHIC.BNL.GOV
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 347
Auth time:  Nov 12 15:39:33 2014
End time:   Nov 17 15:39:28 2014
Renew till: Nov 19 15:39:28 2014
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
Addresses: addressless

Server: afs@RHIC.BNL.GOV
Client: jeromel@RHIC.BNL.GOV
Ticket etype: des-cbc-crc, kvno 4
Session key: des-cbc-md4
Ticket length: 293
Auth time:  Nov 12 15:39:33 2014
Start time: Nov 12 15:39:47 2014
End time:   Nov 17 15:39:28 2014
Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent, forwardable
Addresses: addressless
 
As seen, the KDC ticket is AES while the AFS token is based on DES.