[SmartcardServices-Users] CAC and Mac Os X Server
Shawn A. Geddis
geddis at mac.com
Wed Jul 21 12:44:50 PDT 2010
On Jul 15, 2010, at 10:24 AM, John Daly wrote:
> I’ve asked this question in many other forums, and so far have never got an answer. Maybe since this is dedicated to smartcard services, someone here will know.
>
> Has anyone ever managed to get Open Directory Network accounts to work with CAC login? If so, how? My system is fully kerberized with single sign-on for most things, so if I can just get the CAC to work for login then all the kerberized services should allow the CAC to work for single sign-on for all my mac services. I have Mac Os X Server 10.5.8 (can’t go to 10.6 until I can justify and fund new hardware)
>
> Thank you,
> John
> -- John Daly
> Apple Certified Technical Coordinator
> Sysadmin 474300D
John,
As I just noted to Bram, you need to just do the following for SSO with CAC at Login (PKINIT).
Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very minor config changes to fully enable for Login. I will attempt to get draft instructions up very soon.
Add PKINIT information to /etc/authorization file
Please make sure to make a backup of the /etc/authorization file before you make any changes as a misconfigured version of this file may prevent the system from booting. A backup of the authorization file could be done with the following command:
cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
Edit the /etc/authorization file to add <string>PKINITMechanism:auth,privileged</string> below <string>MCXMechanism:login</string> as in the example below. This could be done with a defaults command or plistbuddy.
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>PKINITMechanism:auth,privileged</string>
<string>loginwindow:done</string>
</array>
</dict>
Test to verify PKINIT is working
First, insert your smart card into the reader. Run the following command to verify that PKINIT is working:
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise
If the command works, you should be prompted for a PIN. You can verify that you have a kerberos ticket by opening Keychain Access and going to Ticket Viewer or by going to Terminal and typing klist.
-Shawn
__________________________________________________
Shawn Geddis geddis at mac.com
Security Consulting Engineer geddis at apple.com
MacOSForge Project Lead: Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo
__________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/d125366c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/d125366c/attachment.bin>
More information about the SmartcardServices-Users
mailing list