Home
Overview
Projects
Resources
Staff
Publications
Links
Awards
Disclaimer
Contacts
Workshops
SCL User Info

AFS Usage
Aliases
Computer Policy
Mail
Passwords
Printing
Software

Debian setup
OS X Setup
LDAP usage

SSH-Kerberos

SCL setup for a computer running OS X

This document will guide you through how to set up OS X so that you may use the SCL's openafs space, log in using Kerberos, and have a working aklog so that you may switch users. If you have any questions regarding this document, please contact the help desk at help@scl.ameslab.gov.

We ask that if possible, you start with a fresh install of OS X with all security updates installed. This is so that we have a standard base to set up your machine, and these instructions should work correctly. If you have a system with already modified login settings, this set up may not work correctly, in which case contact help and we will try to assist you with the problem.

Once this is done, we ask that you first enable your root account. Normally this is considered a security hazard on a Mac box, but for administrative purposes, we ask that you enable this so that we can log into your system if necessary.

Since proper ticket forwarding setup will allow us to access your computer, you may set this password to whatever you wish, but please make sure it is not something easy to figure out. Next, we need to get the package that contain the AFS drivers, and the aklog package for forwarding account info. Please click the link below and place the item on your desktop:

OpenAFS-1.3.78cvs-aklog.pkg.tar

Once you have this file, simply unpack and install the OpenAFS package. This will install the drivers to your system, but we still have some more setup to do in order for it to work properly. When your computer asks to restart, please restart it.

At this point it would be a good idea to create a Kerberos keytab file for your computer. Please ask an admin for assistance in performing this part, as normal users do not have the permissions necessary to do this.

To set up the authorization files, we currently only copy and paste working files into the proper places. For upgradability in the future, we will create diffs that you can run and simply update your existing files, but in the meantime this should work correctly. Please download the following files and place them on your desktop:

authorization

edu.mit.kerberos

Now that you have these files, it would be a good idea to open up a terminal and run the following commands:

This will copy a working authorization file, and the Kerberos information for our realm onto your computer. Now we need to tell your computer what our AFS realm is, and we can do that by opening any editor and modifying the CellServ.DB and ThisCell files (we do it with pico in this example):

Add the lines to the top of this file:

>scl.ameslab.gov	#scl
147.155.137.10	#wopr.scl.ameslab.gov
147.155.137.11	#hal.scl.ameslab.gov

Then at the prompt, type:

Once these changes have been made, please reboot your system.

You still need to have the ldap database set up on your computer so that your Kerberos logins will work correctly, but it's a good idea to save these changes and let your computer reboot at this point. Once your computer has rebooted, open up finder and go to Applications > Utilities and run the program called "Directory Access." Make sure that the lock is unlocked so that you may make changes to the configuration. Once this has been done, click the services tab at the top of the window, and deselect all the different protocols except for LDAPv3.

Next, select the LDAPv3 protocol, ten click the button at the bottom of the window named "Configure." Clicking this button should open up another window. In this next window, On the drop down menu next to the word "Location:", select Automatic. Unclick the option that says "Use DHCP-supplied LDAP Server" if it is selected. If there is a button next to the words "Show Options", click it. At the bottom of this window there will be some buttons. Select the "New..." button.

This will make a new entry. Click the "Edit" button; this will bring up yet another window. For the configuration name, type "SCL LDAP Server". For the Server Name or IP address, use ldap.scl.ameslab.gov. The fields that are next to the words "Open/Close times out in " and "Connection times out in " should be 20. Do not use authentication when connecting, do not encrypt using SSL, and do not use a custom port. Unselect these options if they are selected. Click the "Search & Mappings" heading. In the drop down menu next to "Access this LDAPv3 server using ", select "RFC 2307 (Unix)". Under the heading "Record Types and Attributes", click "Users". For the Search base, enter "ou=People,dc=scl,dc=ameslab,dc=gov". Next, click "Groups". Enter "ou=Group,dc=scl,dc=ameslab,dc=gov" for the Search base here. Delete the entry "Mounts" under "Record Types and Attributes". After that, click "People" and enter "dc=scl,dc=ameslab,dc=gov" in the search base. Make sure to click the radio button next to "Search in:" for "all subtrees" for each of these. Click the "OK" button. Make sure that the new entry has a check mark next to it under the heading "Enable".

Return to the base "Directory Access" window by closing all the other ones. Click the "Authentication" tab. In the drop down menu next to the word "Search: ", select "Custom Path". Click the "Add.." button. Add "/LDAPv3/ldap.scl.ameslab.gov". Leave the "Contacts" heading alone. Click "Apply".

After all this has been done, please reboot. When you reboot, you should be able to log into the machine using your kerberos login and password. AFS should mount automatically for you, and the icon for this should be on the desktop.

Add the standard warning banners:
First add the banner to the standard login window by editing adding the following text inside the dict section of /Library/Preferences/com.apple.loginwindow.plist
<key>LoginwindowText</key>
<string>This is a U.S. Federal Government computer system (unclassified information only). This system is for the use of authorized users only. Unauthorized access is prohibited and makes you liable to civil and criminal penalties. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.</string>

or you can use the following command:
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText '"This is a U.S. Federal Government computer system (unclassified information only). This system is for the use of authorized users only. Unauthorized access is prohibited and makes you liable to civil and criminal penalties. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials."'

Download this file and save as /etc/issue.
Finally add the following line to /etc/sshd_config:
Banner /etc/issue

Open the Sharing Preferences and activate Remote Login. Add the root ssh key:

sudo cp /afs/scl/software/ssh/id_dsa.pub /var/root/.ssh/authorized_keys

sudo cp -r /afs/scl/software/OSuX/kfm_aklog_krb5/build/aklog.loginLogout /Library/Kerberos\ Plug-Ins/
sudo cp /afs/scl/p/web/html/admin/osx-files/panther/pam_KFM.so /usr/lib/pam/
sudo cp /afs/scl/p/web/html/admin/osx-files/panther/sshd /etc/pam.d/
sudo cp /afs/scl/p/web/html/admin/osx-files/panther/sudo /etc/pam.d/
sudo cp /afs/scl/p/web/html/admin/osx-files/panther/su /etc/pam.d/
sudo cp /afs/scl/p/web/html/admin/osx-files/panther/sshd_config /etc/