Thank you Shawn, Now, I have just two more question: Do we have to do anything on the server side besides just adding the CAC card ID hash to the users authorization attributes on the network account on the server? Is there a way to make this work on 10.5? A fair percentage of our systems are still PowerPC, and while we¹re upgrading as fast as the budget will allow, we haven¹t even gotten rid of all the G4s yet, let alone G5s. Also, does the server have to be at 10.6? Both my servers are PowerPC. This makes a 10.6 solution impossible. Thank you, John On 7/21/10 12:44 PM, "Shawn Geddis" <geddis@mac.com> wrote:
On Jul 15, 2010, at 10:24 AM, John Daly wrote:
I¹ve asked this question in many other forums, and so far have never got an answer. Maybe since this is dedicated to smartcard services, someone here will know.
Has anyone ever managed to get Open Directory Network accounts to work with CAC login? If so, how? My system is fully kerberized with single sign-on for most things, so if I can just get the CAC to work for login then all the kerberized services should allow the CAC to work for single sign-on for all my mac services. I have Mac Os X Server 10.5.8 (can¹t go to 10.6 until I can justify and fund new hardware)
Thank you, John -- John Daly Apple Certified Technical Coordinator Sysadmin 474300D
John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array> <string>builtin:smartcard-sniffer,privileged</string> <string>loginwindow:login</string> <string>builtin:reset-password,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>PKINITMechanism:auth,privileged</string> <string>loginwindow:done</string> </array> </dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
__________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com
MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
-- John Daly Apple Certified Technical Coordinator Sysadmin 474300D
