Enabling Kerberos authentication at the Login Window for Mac OS X 10.5 Leopard

The following steps enable kerberos tickets to be obtained upon login. If you set your local short name to match your Duke NetID, you can authenticate using either your local password or your Duke NetID password.

Configure kerberos

1. Put edu.mit.Kerberos in /Library/Preferences/.
   
2. Launch the Kerberos utility located in /System/Library/CoreServices.
3. Click the icon labeled "New".
4. Enter your Duke NetID and password. The realm should be defaulting to ACPUB.DUKE.EDU. If it doesn't, click the pop-up menu to select it.
5. If successful, you should now see tickets listed in the window.

Confiure the login window authentication

1. Launch the Terminal application located in /Applications/Utilities.
2. Enter cd /etc.
   
3. Enter sudo cp authorization authorization.orig (this makes a backup of your authorization file so you can restore the file if necessary).
   
4. Enter sudo nano /etc/authorization.
   
5. Find (Control-w) the <key>system.login.console</key> section. Look for the machanisms section as shown below:

           <key>mechanisms</key>
               <array>
                     <string>builtin:smartcard-sniffer,privileged</string>
                     <string>loginwindow:login</string>
                     <string>builtin:reset-password,privileged</string>
                     <string>builtin:auto-login,privileged</string>
                     <string>builtin:authenticate,privileged</string>      <-- THIS WILL BE REPLACED
                     <string>HomeDirMechanism:login,privileged</string>
                     <string>HomeDirMechanism:status</string>
                     <string>MCXMechanism:login</string>
                     <string>loginwindow:success</string>
                     <string>loginwindow:done</string>
                           </array> 

6. Replace the line <string>authinternal</string> with <string>builtin:krb5authnoverify,privileged</string>. The machanism section should now look like this:

           <key>mechanisms</key>
               <array>
                     <string>builtin:smartcard-sniffer,privileged</string>
                     <string>loginwindow:login</string>
                     <string>builtin:reset-password,privileged</string>
                     <string>builtin:auto-login,privileged</string>
                     <string>builtin:krb5authnoverify,privileged</string>      <-- REPLACED
                     <string>HomeDirMechanism:login,privileged</string>
                     <string>HomeDirMechanism:status</string>
                     <string>MCXMechanism:login</string>
                     <string>loginwindow:success</string>
                     <string>loginwindow:done</string>
                           </array> 

7. Hit control-o to save changes, enter to confirm save, & control-x to exit nano.

These changes take effect immediately. You can test them by logging out, then back into the computer using your Duke NetID password. Launch the Kerberos program located in /System/Library/CoreServices and verify you received tickets upon login.