Using Spnego with Mac OS X

There is a lot of persons asked me how to use Spnego with MAC. The good part is that Mac OS already provide all commands required to use kerberos.

The first step will be to configure your krb5.conf on /etc/krb5.conf (you must be root to update this file)

[libdefaults]

default_realm = NIHED.COM

dns_lookup_kdc = false

dns_lookup_realm = false

ticket_lifetime = 86400

renew_lifetime = 604800

forwardable = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

permitted_enctypes = rc4-hmac

udp_preference_limit = 1

kdc_timeout = 3000

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]

NIHED.COM = {

kdc = master1.nihed.site

admin_server = master1.nihed.site

}

[domain_realm]

.nihed.site = NIHED.COM

nihed.site = NIHED.COM

When you are sure that the configuration is ok, you can try with a kinit

nihed@MacBook-Pro-de-Nihed data % kinit user1

user1@NIHED.COM's password: 

Encryption type arcfour-hmac-md5(23) used for authentication is weak and will be deprecated

nihed@MacBook-Pro-de-Nihed data % klist

Credentials cache: API:12FB7E27-B088-4159-A83B-6652B0A09804

        Principal: user1@NIHED.COM

  Issued                Expires               Principal

Mar 19 15:25:49 2020  Mar 20 15:25:47 2020  krbtgt/NIHED.COM@NIHED.COM

nihed@MacBook-Pro-de-Nihed data % 

I know that I'm using arc4 and it's deprecated but it was just for the test. Please avoid this encryption in production.

Now, that my keytab is on the session, I can start doing the configuration of my Browser and for firefox, you have just to:

• Open about:config (the configuration of firefox)
• search for "negotiate"
• update the field network.negotiate-auth.trusted-uris with a coma separated list of all hosts where you want to use spnego

Now it works :)

For more information about other browsers, please visit https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_browser_access_kerberos_protected_url.html