This article is a continuation of a really great read by shabangs.net His article is great to bind your Macintosh to a Zentyal directory server however, after completing the how-to I was unable to change a network user’s password, store a local copy of the network user’s password for “mobility” nor leverage some great single sign on services from zentyal.

What we will attempt is to configure /etc/krb5.conf for Mac OS X 10.8, Mountain Lion, so that we will receive a TGT from zentyal when the user either logs in or wakes the computer from sleep.

First you need to get the kerberos realm. To do this sign into Zentyal and go to Users and Groups. In here you’re looking for the LDAP search base, this base will also be your Kerberos realm.

Now we want to search and replace EXAMPLE.COM with that realm, and replace your.server.example.com with the FQDN of your Zentyal server. Only set the dns_lookup_* values to true if you’re using the Zentyal server for DNS.



All edits are client side ONLY

If /etc/krb5.conf does not exist then just create it.



[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

preferred_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc

[realms]

EXAMPLE.COM = {

admin_server = your.server.example.com

kdc = your.server.example.com

kpasswd = your.server.example.com

}

[kadmin]

default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt



In order to obtain a Ticket Granting Ticket (TGT) when logging in via the login window, edit /etc/pam.d/authorization and append default_principal option to the pam_krb5.so line.



auth optional pam_krb5.so use_first_pass use_kcminit default_principal



In order to obtain a Ticket Granting Ticket (TGT) when authenticating to the Screen Saver, edit /etc/pam.d/screensaver and append default_principal option to the pam_krb5.so line.



auth optional pam_krb5.so use_first_pass use_kcminit default_principal



Now sign out and back in as a network user, open a terminal and type klist You should get something like:



lisa:~ test$ klist

Credentials cache: API:51104:6

Principal: test@EXAMPLE.COM

Issued Expires Principal

Mar 2 09:28:04 Mar 2 19:28:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM



If so, great! This means kerberos is running, now try to change the user’s Open Directory password. It should succeed as well. If not make sure you have the console open to see what’s going on. 99% of the time it’s a DNS issue or the clocks on your workstation is out of sync with Zentyal.

Now try to mount an SMB volume from the Zentyal server, it *should* mount without credentials and a new ticket will appear in the output of klist