Configuring the Macintosh to use Kerberos for authentication with Red Hat Enterprise IPA is a two-step process: First, Kerberos needs to be correctly installed and configured, and second, the Kerberos authentication needs to be enabled.
Ensure that /System/Library/CFMSupport/Kerberos is version 4.2 or higher. If that directory does not exist or is the wrong version, install the Kerberos Extras support.
Launch /System/Library/Coreservices/Kerberos
From the Edit menu, choose Edit Realms.
On the Settings tab, enter the IPA server's Kerberos realm (for example, EXAMPLE.COM).
On the Servers tab, leave two lines, whose hostnames you then need to replace with the IPA server's hostname (for example, ipaserver.example.com):
kdc ipaserver.example.com 88 admin ipaserver.example.com 749
On the Domains tab, replace the existing domains with the IPA server's actual domain (such as example.com):
.example.com example.com
Click Make default, and then close the Kerberos tool. This creates the files you need, but as they may not be 100% correct, it is recommended that you verify them manually.
The /Library/Preferences/edu.mit.kerberos file should look similar to the following. Remember to replace the example.com settings with your own IPA server name, Kerberos realm and domain details.
[domain_realm]
example.com = EXAMPLE.COM
.example.com = .EXAMPLE.COM
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
admin_server = ipaserver.example.com:749
default_domain = example.com
kdc = ipaserver.example.com:88
}
The Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations.