1

I am running MacOs High Sierra 10.13

I need to remotely access a kerberised web UI (Hadoop Cluster / Ambari / Oozie Service UI to be specific)
For that I first need to edit/configure the kerberos conf file to add the realm before calling kinit properly. I looked thoroughly, the Kerberos configuration file is not present in the system : Not a trace anywhere of a file called "edu.mit.Kerberos" not "krb5.conf".

But still, calling kinit outputs this : 

user@MBP:~$ kinit
kinit: krb5_get_default_principal: Configuration file does not specify default realm

I am really curious where the configuration file is hidden if it ever exists.

Anyway, I tried creating both /etc/krb.conf and /Library/Preferences/edu.mit.Kerberos with my realm configuration but I keep getting the same output.

I am not even sure kerberos is installed by default properly on this version of MacOS, but I do have klist and kinit commands natively in usr/bin.

I also tried to unload / reload the kerberos service but the corresonding plist files are also non existent

sudo launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist
sudo launchctl unload /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist
sudo launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.kadmind.plist
sudo launchctl load /System/Library/LaunchDaemons/edu.mit.Kerberos.krb5kdc.plist

all give 

No such file or directory

I consulted the official MIT Documentation here and here but it didn't really help. The'y also advice to use "Mac OS X Kerberos Extras" Utility, but I am a terminal guy, I really prefer to understand what I am doing and where the conf files are and what is really happening.

Any help or decent documentation is welcome. Thanks

Mehdi LAMRANI
  • 11,289
  • 14
  • 88
  • 130

2 Answers2

2

We've had some experience of this and the 'lean' docs where I'm based...

You can write /etc/krb5.conf with eg:

[libdefaults]
  dns_lookup_kdc = false
  dns_lookup_realm = false
  ticket_lifetime = 86400
  renew_lifetime = 604800
  forwardable = true
  default_tgs_enctypes = aes256-cts
  default_tkt_enctypes = aes256-cts
  permitted_enctypes = aes256-cts
  udp_preference_limit = 1
  kdc_timeout = 3000
[realms]
  NODE.EXAMPLE.COM = {
    kdc = tcp/example.com:port
  }

In our case we're connecting over ssh so I have: kdc = tcp/localhost:11006 where that tunnels to the box/port running kdc. Then kinit USERNAME@REALM

https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication may be helpful after that.

9bO3av5fw5
  • 882
  • 5
  • 14
  • udp_preference_limit = 1 has no meaning in mac. it was still using udp unless I set tcp in kdc – Raid Jan 16 '23 at 23:46
2

At some point, Apple renamed the Kerberos launchdaemons to live under com.apple, for example, com.apple.Kerberos.kcm.plist for the credential-cache daemon.

wiml
  • 708
  • 5
  • 6