On Jul 15, 2010, at 10:24 AM, John Daly wrote:
I’ve asked this question in many other forums, and so far have never got an answer.  Maybe since this is dedicated to smartcard services, someone here will know.

Has anyone ever managed to get Open Directory Network accounts to work with CAC login?  If so, how?  My system is fully kerberized with single sign-on for most things, so if I can just get the CAC to work for login then all the kerberized services should allow the CAC to work for single sign-on for all my mac services.  I have Mac Os X Server 10.5.8 (can’t go to 10.6 until I can justify and fund new hardware)

Thank you,
John
-- John Daly
Apple Certified Technical Coordinator
Sysadmin 474300D

John,

As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).

Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login.  I will attempt to get draft instructions up very soon.

Add PKINIT information to /etc/authorization file

Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command: 

cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`

Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.

<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule.  Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>PKINITMechanism:auth,privileged</string>
 <string>loginwindow:done</string>
</array>
</dict>



Test to verify PKINIT is working

First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:

/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise

If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
 

-Shawn

__________________________________________________
Shawn Geddis       geddis@mac.com
Security Consulting Engineer    geddis@apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
__________________________________________________