Mac – Obtaining A Kerberos TGT On SSH Login

You’re bound to Active Directory and get a Kerberos TGT on a GUI login great, right? Well what if you also wanted to get one automatically when you authenticate via SSH? It’s actually pretty easy to do! Assuming of course that you can successfully get one using kinit, and that you’re using 10.6 or later (10.5 and below does not have the required PAM module). The ticket was (sorry, couldn’t resist) editing the /etc/pam.d/sshd file, and more specifically changing the following line:

auth       optional use_kcminit


auth       optional default_principal

There should be no need to restart. If all went well the next time you log in via SSH you should receive a TGT. You can view Kerberos credentials by using the klist command. If you’re only bound to Open Directory and have everything set up correctly, you shouldn’t need to do this as the pam_krb5 module, by default, tries to obtain the principal from the user’s OpenDirectory record. By specifying the default_principal option you tell the module to construct the principal from the authenticating user’s username. Let me know in the comments if this worked for you or if have any questions!

Special thanks to my co-worker who helped me discover this.

Linux/Mac – Have Margarita Startup Automatically On Boot

A little introduction.

Greg Neagle put together a wonderful third party Apple Software Update Service (SUS) called Reposado. In short, the top three greatest features Reposado offers are the ability to create separate update branches, the ability to offer deprecated updates, and it does not need to be run on Mac OS X hardware.

Reposado is great and if you’re using Apple’s SUS solution I recommend you switch. Reposado does have one drawback though, it’s command line only. While that isn’t a problem for most administrators, there may be times when you want someone else, who doesn’t feel comfortable at the command line, to manage updates. Or, perhaps you want the convenience and speed of a GUI. Jesse Peterson filled this void with Margarita, a web front end for Reposado that also runs on Mac or Linux.

We run Reposado on a Red Hat Enterprise Linux (RHEL) 6 server, and I recently installed and configured Margarita incase someone else needed an easy way to add an update to a branch. The only unfortunate part about Margarita on Linux is that it doesn’t startup automatically. If you plan to use Reposado and Margarita on a Mac, Jesse has a launchd task to accomplish this.

After the jump, I’ll explain to how to install the Margarita startup script I wrote for our RHEL 6 server.

Continue reading

Mac – Mounting Network Shares via Applescript

Recently, I had to create a /Library/LaunchAgents job that would mount network shares upon a user logging in. I had the job run an AppleScript (don’t hate me) to do this, and I picked up several tips:

If you need to get some information from the currently logged in user, use “system info”, and avoid using “do shell script”

tell application "Finder"

set userName to get short user name of (system info)

end tell

Prefix the FQDN of the mount with the user’s short name. While this seems unnecessary, I found that it dramatically sped up my script, and stopped NetAuthAgent from crashing every time my script ran on 10.6.8.

tell application "Finder"

set userName to get short user name of (system info)
mount volume "afp://" & userName & ""

end tell

Lastly, as you can see from the example above, use “mount volume” instead of “open location”. The reason being is that “mount volume” will not open up a window once the share has been mounted, which is usually what you want.