[SmartcardServices-Users] CAC and Mac Os X Server

Daly, John L CIV john.l.daly at navy.mil
Wed Jul 28 06:53:35 PDT 2010 

Thank you Shawn,

Now, I have just two more question:  Do we have to do anything on the server
side besides just adding the CAC card ID hash to the users authorization
attributes on the network account on the server?

Is there a way to make this work on 10.5?  A fair percentage of our systems
are still PowerPC, and while we¹re upgrading as fast as the budget will
allow, we haven¹t even gotten rid of all the G4s yet, let alone G5s.  Also,
does the server have to be at 10.6?  Both my servers are PowerPC.  This
makes a 10.6 solution impossible.

Thank you,
John


On 7/21/10 12:44 PM, "Shawn Geddis" <geddis at mac.com> wrote:

> On Jul 15, 2010, at 10:24 AM, John Daly wrote:
>> I¹ve asked this question in many other forums, and so far have never got an
>> answer.  Maybe since this is dedicated to smartcard services, someone here
>> will know.
>> 
>> Has anyone ever managed to get Open Directory Network accounts to work with
>> CAC login?  If so, how?  My system is fully kerberized with single sign-on
>> for most things, so if I can just get the CAC to work for login then all the
>> kerberized services should allow the CAC to work for single sign-on for all
>> my mac services.  I have Mac Os X Server 10.5.8 (can¹t go to 10.6 until I can
>> justify and fund new hardware)
>> 
>> Thank you,
>> John
>> -- John Daly
>> Apple Certified Technical Coordinator
>> Sysadmin 474300D
> 
> John,
> 
> As I just noted to Bram, you need to just do the following for SSO with CAC at
> Login (PKINIT).
> 
> Mac OS X 10.6.3 has PKINIT support built in, but you need to make some very
> minor config changes to fully enable for Login.  I will attempt to get draft
> instructions up very soon.
> 
> Add PKINIT information to /etc/authorization file
> 
> Please make sure to make a backup of the /etc/authorization file before you
> make any changes as a misconfigured version of this file may prevent the
> system from booting. A backup of the authorization file could be done with the
> following command:
> 
> cp /etc/authorization /etc/authorization_original_`date +%M-%H-%m-%d-%y`
> 
> Edit the /etc/authorization file to add
> <string>PKINITMechanism:auth,privileged</string> below
> <string>MCXMechanism:login</string> as in the example below. This could be
> done with a defaults command or plistbuddy.
> 
> <key>system.login.console</key>
> <dict>
> <key>class</key>
> <string>evaluate-mechanisms</string>
> <key>comment</key>
> <string>Login mechanism based rule.  Not for general use, yet.</string>
> <key>mechanisms</key>
> <array>
> <string>builtin:smartcard-sniffer,privileged</string>
> <string>loginwindow:login</string>
> <string>builtin:reset-password,privileged</string>
> <string>builtin:auto-login,privileged</string>
> <string>builtin:authenticate,privileged</string>
> <string>loginwindow:success</string>
> <string>HomeDirMechanism:login,privileged</string>
> <string>HomeDirMechanism:status</string>
> <string>MCXMechanism:login</string>
> <string>PKINITMechanism:auth,privileged</string>
> <string>loginwindow:done</string>
> </array>
> </dict>
> 
> 
> 
> Test to verify PKINIT is working
> 
> First, insert your smart card into the reader. Run the following command to
> verify that PKINIT is working:
> 
> /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kinit -C KEYCHAIN:
> -D KEYCHAIN: --windows --pk-enterprise
> 
> If the command works, you should be prompted for a PIN. You can verify that
> you have a kerberos ticket by opening Keychain Access and going to Ticket
> Viewer or by going to Terminal and typing klist.
>  
> 
> -Shawn
> 
> __________________________________________________
> Shawn Geddis      geddis at mac.com
> Security Consulting Engineer    geddis at apple.com
> 
> MacOSForge Project Lead:                           Smart Card Services
> Web: http://smartcardservices.macosforge.org/
> Lists: http://lists.macosforge.org/mailman/listinfo
> __________________________________________________
> 
> 

-- John Daly
Apple Certified Technical Coordinator
Sysadmin 474300D



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100728/06723923/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 5993 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100728/06723923/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: application/octet-stream
Size: 5993 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100728/06723923/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2914 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100728/06723923/attachment-0001.bin>

More information about the SmartcardServices-Users mailing list