- Sell Tickets; 0. Transactional Consent Sun, May 2 from 11am - 1pm (Pacific) Consent Chat Sun, Sep 19 from 11am - 1pm (Pacific) Consent for Teachers.
- Stranger Things: The Drive-Into Experience Tickets. Stranger Things: The Drive-Into Experience with many well known hits turning on the nation to a great sound. After waiting so long, the Stranger Things: The Drive-Into Experience finally announced a new tour. Make sure you see them when they hit the road!
Kerberos on Mac OS X Frequently Asked Questions |
Download macOS Catalina for an all‑new entertainment experience. Your music, TV shows, movies, podcasts, and audiobooks will transfer automatically to the Apple Music, Apple TV, Apple Podcasts, and Apple Books apps where you’ll still have access to your favorite iTunes features, including purchases, rentals, and imports.
The following is a list of frequently asked questions about Kerberos on Mac OS X 10.2 and 10.3. Thisinformation is intended to assist users, support staff and developers who use Kerberos on the Macintosh.
This web page contains FAQs for Kerberos on Mac OS X 10.2 and later only. KfM FAQsfor other Mac OS versions are available here.
If you would like to suggest an addition to the FAQ, please send mail to [email protected]
Q: Who should I contact with questions about Kerberos on Mac OS X?
A: Generally, you should contact Apple Computer for support with Kerberos on Mac OS X if your questionis not answered here. See the Kerberos for Macintosh Support & Contact Info page for further information.
Q: What version of Kerberos should I use with Mac OS X?
A: Vector prospector mac os. Use the Kerberos for Macintosh that ships with the OS. This is the latest version- equivalent to KfM 5.5 in Mac OS X 10.4, KfM 5.0 in Mac OS X 10.3, and KfM 4.5 in Mac OS X 10.2.If you need Kerberos CFM support, download the Mac OS X Kerberos Extras.
Q: What parts of Kerberos are/are not included with Mac OS X?
A: The Kerberos included with Mac OS X 10.2 and later includes the Kerberos framework, command line tools,the GUI Kerberos management application (although it's hidden away in
/System/Library/CoreServices
), a Kerberoslogin authenticator, and support for Kerberos in various applications. The CFM support libraries are not included,but can be obtained by installing the Mac OS X Kerberos Extras,which will also put an alias to the Kerberos application in a more convenient location.No Kerberos configuration information is included with Mac OS X (and only a sample configuration file is included withthe Kerberos Extras), you must install a configuration for your site if your site does not have Kerberos auto-configuration/DNS setup(see below for more info).
Q: How do I configure Kerberos on Mac OS X for my site?
A: If your site does not have a Kerberos auto-configuration/DNS configuration (and in some cases, even if it does),you must copy or create a file called
edu.mit.Kerberos
in your /Library/Preferences
directory.If you are running KfM 5.5 (Mac OS X 10.4), the Kerberos application realms editor graphical interface can be used to edit the realms configuration. Your site may have a localized Kerberos installer that provides this configuration file, you should consult with yoursystem administrator(s) before attempting to create your own.The Kerberos configuration information (equivalent to the
krb5.conf
on other platforms) should be in the datafork of this file. We strongly recommend you read the Kerberos Preferences documentationif you are hand-editing this file.Q: Eudora, Fetch, and other CFM-based applications won't work with the Mac OS X Kerberos. What's wrong?
A: Mac OS X Kerberos as shipped does not include CFM support. To use the Mac OS X Kerberos withEudora, Fetch, and other existing CFM-based GUI applications, you should install either theMac OS X Kerberos Extras.
If you have just upgraded from an older Mac OS X to a newer version (such as from Mac OS X 10.1 to 10.2, or 10.2 to 10.3),you may need to install the latest Mac OS X Kerberos Extras even if you had Eudora and/or Fetch working previously. Note that you do not need to do this if upgrading from 10.3 ot 10.4.
Q: I installed the Mac OS X Kerberos Extras and now Eudora 5.1 won't work at all. What's up?
A: There is an issue with one of the Eudora plug-ins in Eudora 5.1 that causes this. The best way to fix thisis to upgrade to Eudora 5.2 or later.
If you cannot upgrade to Eudora 5.2 or later, do the following to fix this:in the Finder, bring up the Finder contextual menu by control-clicking on the Eudora application iconand select 'Show Package Contents'.When the window pops up with the Contents folders in it, navigate to the Eudora Stuff folder:
and remove the
UPPERlower Carbon
plug-in (drag it to the desktop or some other storage place).Close up the Eudora contents window and try again, Eudora should now work. Removing this plug-in removes theability to change the selected text to all lowercase, all uppercase, etc. from the Edit menu in Eudora. This bugwill be fixed in a future release of Eudora.Q: Where is the Kerberos GUI management application?
A: Mac OS X 10.2 and later do actually include the Kerberos management application, it's in
/System/Library/CoreServices
.You can either make an alias in a more convenient location, or use the Mac OS X Kerberos Extraswhich will make an alias to it in /Applications/Utilities
.Q: Is a Kerberized telnet and/or SSH client available for Mac OS X?
A: The Telnet that ships with Mac OS X 10.2 and later has Kerberos support. The SSH that ships with Mac OS X 10.3 and later hasKerberos support (we know of no Kerberized SSH solutions for Mac OS X 10.2).
Q: Is there a Kerberized ftp client available for Mac OS X?
A: Yes, Fetch from FetchSoftworkssupports both GSS and KClient (v4) connections on Mac OS X when the CFM support libraries are installed.This is the only Kerberized ftp client we are aware of at this time.
Q: Does Kerberos for Macintosh work with Windows Active Directory?
A: Yes, KfM will successfully authenticate against Windows ActiveDirectory acting as a KDC.
Q: I don't see the realm I need in the Authenticate to Kerberos dialog. How do I add new realms?
A: If the desired realm is not present in the Realms popup list, you can try typing itinto the Realm field. However, this will only work if you have a Kerberos configuration file(
edu.mit.Kerberos
) that already includes the realm, or your site is set up for auto-configuration/DNSresolution of Kerberos realms. If typing it in directly does not work, try the Edit Favorite Realms/Edit Realmsdialog in the Kerberos management application. If it's not there, see the next question.Q: I don't see the realm I need in the Edit Favorite Realms/Edit Realms dialog in Kerberos management application. How do I add new realms?
A: Your site may be configured for auto-configuration (DNS resolution of Kerberos realms. Ifthis is the case, and you are on Mac OS 10.2 or 10.3, you can just type your realm into the 'Add realm that has auto configuration' field of the Edit Favorite Realms dialog. If this does not work, you need to edit the
edu.mit.Kerberos
preferences file manually. See the Kerberos Preferences Documentation for information on how to do this. If you are running Mac OS X 10.4 you can use the graphicalEdit Realms dialog to add the realm configuration. Regardless of which version of Mac OS X you are using, you should consult your siteadministrator or help desk before adding new realms.Q: Can I use Kerberos for Macintosh behind a NAT (Network Address Translation)?
A: In some cases, yes. Kerberos 4 does not support addressless tickets, so no Kerberos 4 or KClient-usingapplication can be made to work behind a NAT. However, Kerberos 5 can be told to use addresslesstickets, which will allow Kerberos 5-using applications to work behind a NAT. However, applications thatuse the GSSAPI and require channel bindings, such as FTP, may still not work.
Mac OS X 10.3 and 10.4 get addressless tickets by default, although you can change this setting by setting the 'Get tickets without IP addresses' checkbox in the Authenticate to Kerberos dialog (click on the 'Show Options' button or choose 'Options..' from the pulldown menu to see this checkbox).
Mac OS X 10.3 and 10.4 get addressless tickets by default, although you can change this setting by setting the 'Get tickets without IP addresses' checkbox in the Authenticate to Kerberos dialog (click on the 'Show Options' button or choose 'Options..' from the pulldown menu to see this checkbox).
Mac Os Versions
In Mac OS X 10.2, can enable addressless tickets by adding the following line to the
libdefaults
section ofthe edu.mit.Kerberos
file:There is no GUI way to enable this feature in Mac OS X 10.2.
Q: Will there be a Kerberos system menu and floating window for Mac OS X?
A: Kerberos for Macintosh for Mac OS X includes equivalent functionality. The dock icon of theKerberos management application has a key that changes to show your ticket's status, can display thetime remaining of the current active user's tickets, and has a pop-up menu for commonly used Kerberos functions.
Q: Can I get a newer release of Kerberos for Mac OS X from MIT?
A: No, any updates to Kerberos for Mac OS X will come from Apple.
Q: How do I enable and use the Kerberos login authenticator in Mac OS X 10.2 and later?
A: See Apple's web page,Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window.Apple wrote the authenticator, and MIT does not provide documentation or support for it. Please send any questions to Apple -see the Kerberos for Macintosh Support & Contact Info page.
Q: How can I uninstall/remove Kerberos for Macintosh?
A: On Mac OS X 10.2 and later, since Kerberos is an integral part of the OS, you should not attempt to remove it.
Q: Is source code for the Kerberos included with Mac OS X available?
A: Yes, source code is available for review from the AppleDarwin Kerberos page.
Q: Is source code for the Kerberos login authenticator available?
A: Please contact Apple with this request. Since Apple wrote the authenticator, MIT does nothave control over the source code.
Stranger Tickets Mac Os Catalina
[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]
Mac Os Catalina
Using the Kerberos Application on Mac OS X |
This web page has instructions for the Kerberos application for Mac OS X.
These instructions reflect the Kerberos application on Mac OS X 10.3. While the Kerberos application is similar on previous OS X releases, not all features described below may be available or located in the same place.
MIT users should consult the Kerberos for Macintosh at MITdocumentation, which reflects the currently supported version.
|
If you're not familiar with Kerberos authentication and terms such as Kerberos tickets, go to What Is Kerberos? to learn the concepts and terms. | |||||
| To open the Kerberos application: If you have installed the Mac OS X Kerberos Extras, go to the Applications folder, open the Utilities folder, and open the Kerberos icon. Otherwise, you will need to navigate to the /System/Library/CoreServices directory (use the Go To Folder.. item in the Finder's Go menu), and open the Kerberos icon from there. (You may want to run the Kerberos Extras or make your own alias in a more convenient location.) Result: The Kerberos application window is displayed. | |||||
|
| |||||
| Below the Active User box and the Renew Tickets, Destroy Tickets, and Change Password buttons is the ticket list. The ticket list shows all the principals that are currently authenticated in the current Mac OS X user's session. Each principal has a set of Kerberos tickets belonging to it. When you log in with Kerberos, you get a ticket-granting ticket which then allows you to get other tickets from other applications (also called services). Then for each application you run that requires Kerberos authentication, you get a service ticket. By default, the principals and their tickets appear as a summary line in the ticket list. The summary lines are in bold text. Each summary line has three elements:
Instead of a time, you may see either 'expired' or 'not valid' in the Time Remaining column. 'Expired' means that your tickets have no time remaining and so are no longer valid; 'not valid' means they are no longer valid for some other reason, usually because your Mac's IP address has changed since you obtained the tickets. In either case, you need to renew your tickets (although Kerberos for Macintosh will also prompt you automatically to renew if you try to use a service requiring Kerberos tickets). If you want to see details of tickets associated with each principal, click on the triangle at the left of the principal's summary line. The list will expand: In the expanded list, you will see a list of the tickets (credentials) belonging to that principal. If the principal is authenticated for both versions of Kerberos, the tickets are grouped by version underneath a subheading for each version (see picture above). If you always want the ticket list to display expanded entries, you can set the 'Always expand new ticket list entries' preference. See the Changing preferences section. You can display even more detailed information about each ticket using the Ticket Info window. See the Displaying ticket information section. | |||||
| The current, active user specifies which Kerberos username will be used for authentication when you work with an application that requires Kerberos authentication. If more than one Kerberos user is logged in, you may want to change the active user before using such an application. Use one of the following techniques to change the active user:
Result: The new active user is displayed in the Active User box and also appears underlined in the ticket list. | |||||
| To destroy tickets, select the boldfaced username line in the ticket list then click on the Destroy Tickets button, or choose Destroy Tickets from the Tickets menu. Result: The ticket entry is removed from the ticket list. If other Kerberos users are logged in, their usernames remain in the ticket list and their tickets are valid for the remaining time indicated. | |||||
| If your tickets have expired, or you want to extend the lifetime of existing tickets, you may want to renew your tickets. As of Mac OS X 10.3, Kerberos for Macintosh supports the 'renewable' property for tickets. If your site allows tickets to have this property, you can renew tickets up for a set amount of time without re-entering your password, as long as your current tickets are still valid (that is, haven't expired). By default, Kerberos for Macintosh tries to get tickets with the 'renewable' property; you can change this in the Kerberos Login dialog options or in the Kerberos application preferences. In fact, by default, the Kerberos application will automatically attempt to renew your tickets if you leave it running (you can close the main window for convenience). Once half your ticket's lifetime has expired, if it has the 'renewable' property, the Kerberos application will automatically issue a renew request for it. It will keep doing this up until the renewable time limit. You can control this behavior by checking or unchecking the 'Auto-renew renewable tickets' checkbox in the Kerberos application preferences. You can see if a ticket is renewable, and for how long, by using the ticket information window. See Displaying ticket information below. If your tickets are expired, or you choose not to use the auto-renew feature and want to renew your tickets before they expire, or your tickets do not support the 'renewable' property, use the Renew Tickets command.
| |||||
| If you are interested in more information about your Kerberos tickets, the Kerberos application can display detailed information about each ticket by using the Get Ticket Info command. To display detailed ticket information:
Result: The Ticket Info window appears: At the top of the ticket info window is the principal who owns the ticket, the service that the ticket was obtained for, and the Kerberos version of the ticket. The rest of the information is divided into several panes for easier reading: You can have more than one ticket info window open at once. | |||||
| You can change your Kerberos password by using the Change Password.. command. To change your password,
| |||||
| The Kerberos application's dock icon has several features to help you quickly determine the status of the active user's tickets and to manage your Kerberos tickets. Graphical ticket status & time remaining indicator
Kerberos Dock Menu
| |||||
| A default Kerberos realm is specified by the edu.mit.Kerberos configuration file (as distributed from MIT, this realm is ATHENA.MIT.EDU). When using the Kerberos application to log in, by default the Kerberos username and password entered are checked for authorization in this area of the network. You can add other realms, as described in this section, and change which one Kerberos Login uses by default. (For instructions on how to change the default realm, see Changing Preferences.) Other realms listed in the edu.mit.Kerberos configuration file can also be used for logging in, but must first be added to the list of 'favorite' realms which are displayed in the Kerberos Login dialog. You can do this one of two ways. First, you can type the realm you want directly into the Realm field/popup in the Kerberos Login dialog. This will only work if the realm is already in your Kerberos configuration file, or if your site is set up for auto/DNS resolution of Kerberos realms. If you are unsure if either of these are the case, or you try to add a realm this way and it doesn't work, consult your site administrator. Second, you can use the Edit Favorite Realms of the Kerberos application that provides the following options for making the other realms in the preferences available for use:
For information on adding new realm information to the Kerberos preferences file, see the Kerberos Preferences on Mac OS X Documentation. Kerberos for Macintosh does not provide a GUI way to add this information. Generally you should not have to do this, consult with your site administrator first! To add and remove realms,
| |||||
| You can make certain customizations to the Kerberos application by using the Preferences.. command. These customizations also affect the Kerberos Login dialog anytime another application brings it up.
|
Questions or comments? Send mail to [email protected]
Last updated on $Date: 2003/12/19 20:37:25 $
Last modified by $Author: smcguire $
Last updated on $Date: 2003/12/19 20:37:25 $
Last modified by $Author: smcguire $