PennKey Authentication and PennGroups Authorization for Mac OS

From Provider Wiki

Jump to: navigation, search

Configuring Kerberos Authentication and PennID Translation for Mac OS 10.6.x

NOTE: THIS IS A WORK IN PROGRESS!!! This method is currently in a test phase and under review.

Introduction

This document lists the configuration steps necessary to configure a standalone, Mac computer to allow for:
1. PennKey Authenticated logons for all active PennKey holders
2. A unique user account mapping (UID) based on the PennID number of the user
3. A dedicated local home directory based on the PennName of the user

Why would I need to do this?

This method can be used to grant network based login with PennKey authentication to Macintosh workstations which are not bound to an Active Directory or Open Directory system. It would be ideal in situations where macs reside in a public Lab, Classroom or Kiosk area, where the computers must allow all Penn Students, Faculty and Staff secure and authenticated access to the local computer and Penn's network and resources.

Overview

Once configured in this manner, the system will authenticate PennKey holders against Penn's MIT KDC (Key Distribution Center) using native KerberosV5. Once authenticated, the system will connect to the PennGroups directory via Secure LDAP using a pre-configured service account and initiate a PennName (PennKey username) to PennID (PennID Number) translation. Macs require a unique UID (user identifier) to generate a properly configured home directory and user permissions. The PennID is essentially mapped to a UID and the user is authorized to login. Given that PennID numbers are unique, the generated account is unique and inherits the proper POSIX permissions.

Caveats

1. Configuring a Macintosh system to use this method of authentication will allow ANYONE with a valid PennKey to logon to the computer. If this is not your desired behavior, then do not use this method.
2. This has been tested for 10.6.4 and implemented on SAS public computers for the 2010C term. Use at your own discretion or risk on other versions of Mac OS.
3. Your system must always be connected to the network with a valid IP address. If you do not have a connection, even local accounts will have a hard time logging in, as the system keeps trying to contact the PennGroups directory.

Prerequisites

1. You must contact your school or center Kerberos Administrator and have a principal created that will be used as a "service account" that will be configured to access PennGroups via secure LDAP. This account can be used on all of the machines that need to use this logon method.

2. The principal created must then be authorized by the PennGroups team. See here [1] for more information.

3. You must install Kerberos for Macintosh, available from the PennConnect DVD or Penn Computing site.

4. I strongly encourage you to backup your system before attempting the configuration changes below. Mucking up the changes to the /etc/authorization file can prevent you from logging into your computer!

5. Patience! This is somewhat involved, and you will need to pay good attention to the details. I have taken many screenshots to illustrate the steps, but just be sure to follow the directions carefully.



Part ONE

Install Kerberos for Mac (even if you have done so before!)


    Launch Terminal and enter the command sudo nano /Library/Preferences/edu.mit.Kerberos to view the contents of the file and make sure that the contents appear as below

    Image:klam01.png


Part TWO

Setup the Mac Login Window for Kerberos Authentication


    Configure /etc/authorization
    Launch Terminal and type sudo nano /etc/authorization
    navigate to the system.login.console section and change the "<string>builtin:authinternal</string>" to "<string>builtin:krb5authnoverify,priviledged</string>" as shown below
    Image:klam02.png

    Save the changes and then exit.


Part TWO point 5

This step is necessary for 10.6.4, and apparently some versions of the OS work without this being modified, but not 10.6.4. Please review the following documentation to understand the impact of the change you will make here. Please note that following the instructions below did NOT work for me, hence using the workaround listed below:
http://support.apple.com/kb/HT4183
http://www.afp548.com/article.php?story=20071203011158936

In order to make this work do the following:
Launch Terminal again and enter the command sudo nano /etc/openldap/ldap.conf
You will need to edit the line that reads TLS_REQCERT DEMAND and change DEMAND to NEVER and then save and exit.

It is puzzling why apple's own instructions for the workaround do not suffice, so you will need to do as above. Please note that this poses a minimum security risk, as if a server tried to spoof PennGroups with invalid cert, your system would not validate the cert. How likely is this to occur? I would say that it isn't, and the benefit of having a secure logon for these macs greatly outweighs the risks associated with this configuration. But again, please read the docs!

Part THREE

Configure Directory Access


    Access to the Directory Utility has changed in 10.6.
  1. You must open System Preferences, click on Accounts, and then select Login Options. Notice the Network Account Server setting to the right, and click the Join button.
    Image:klam03.png

  2. A box will appear asking you to specify a server, but just click Open Directory Utility and the following will appear

    Image:klam04.png

  3. Check the box for LDAPv3 and then click the edit box below and a new window will appear. Click on New then click Manual then click Edit. Under the Connections tab, enter the information as shown in the box below

    Image:klam18.png
    1. name the configuration PennGroups
    2. enter the server name penngroups.upenn.edu
    3. check the box Encrypt using SSL


    Leave the rest as defaults and then click on Search and Mappings at the top

    1. In the dropdown box next to Access this LDAPv3 server... select Custom


      Image:klam05.png


    2. Select the Default Attribute Types, then click Add
      Select Attribute Types then select the RecordName attribute and click OK


      Image:klam06.png


    3. Highlight the RecordName attribute and click the Add button below 'Map to items in list' and enter the value pennname as shown below

      Image:klam07.png


      Now you will add Record Types.
    1. Click on the Add button below Record Types and Attributes, select Record Types, then select Users


      Image:klam08.png

    2. Select the Users record type you just added and click the Add button that is located under the right pane (Map to 'any' items in list)
    3. Add the value pennidTranslation and
    4. Set the Search base for the Users record type: ou=pennnames,dc=upenn,dc=edu and select Search in all subtrees as shown below

      Image:klam09.png


      Now you will add several attributes for the User Record type. Click Add and select Attribute types and add the following (use command click to select multiple, and be sure to select them in the proper order):

      1. AuthenticationAuthority
      2. HomeDirectory
      3. NFSHomeDirectory
      4. PrimaryGroupID
      5. RealName
      6. RecordName
      7. UniqueID
      8. UserShell


      Image:klam10.png


    1. Now you can set the following values for the attributes just added (I've illustrated some below), and they should be as follows:

      1. AuthenticationAuthority = pennname
        Image:klam11.png
      2. HomeDirectory = #/Users/$pennname$ and NFSHomeDirectory = #/Users/$pennname$
        Image:klam12.png
      3. PrimaryGroupID = #20 (Group ID can be any group you choose, I chose "staff")
      4. RealName = cn
      5. RecordName = pennname
      6. UniqueID = pennid (this is the key to this whole solution!)
        Image:klam16.png
      7. UserShell = #/bin/bash
        Image:klam17.png


        Once finished, click on the Security at the top (almost finished!)
      1. check the box to Use authentication when connecting
      2. enter the Distinguished Name of the principal (service account) that has been setup (see the prereqs) in the format uid=<principal>,ou=entities,dc=upenn,dc=edu
        for example:
        uid=mac-login/sas.upenn.edu,ou=entities,dc=upenn,dc=edu
      3. and enter the password for that account, as shown below
        Image:klam20.png

        VERY IMPORTANT: Make sure to check Disable clear text passwords and Encrypt all packets but these options might be grayed out until you actually hit OK and save all of the configuration. Just be sure to go back in and check to make sure that those options are selected.
      4. Finally, you click Ok and will be prompted for admin credentials to save the settings. When you are returned to the Directory Utility window, click on Search Policy at the top. Make sure you have selected the Authentication button and for the Search option, select Custom Path and then click the Plus (+) to add the LDAP directory, which should be available for you to select as shown below. Click Apply, and you are now finished!
        Image:klam19.png

        Restart the system, and you can now login with a Pennkey

        You can also test functionality by launching Terminal, and using the id command, for instance id albertm will return the PennID number for albertm, which has been mapped to the internal UID of the Mac OS system. Since PennIDs are unique, so is the UID. Please provide me with feedback or comments if you have trouble. This document will be updated for better formatting (looks).

        Referenced Links

        Open Directory Programming Guide
        Configuring Mac OS X LDAP Authorization for Leopard (Mac OS X 10.5.x)
        Logging in to Mac OS X using Kerberos and LDAP


        written by albertm at sas.upenn.edu 07/23/2010, last updated 08/31/2010
Retrieved from "http://prowiki.isc.upenn.edu/wiki/PennKey_Authentication_and_PennGroups_Authorization_for_Mac_OS"
Personal tools