You’re bound to Active Directory and get a Kerberos TGT on a GUI login great, right? Well what if you also wanted to get one automatically when you authenticate via SSH? It’s actually pretty easy to do! Assuming of course that you can successfully get one using kinit, and that you’re using 10.6 or later (10.5 and below does not have the required PAM module). The ticket was (sorry, couldn’t resist) editing the /etc/pam.d/sshd file, and more specifically changing the following line:
auth optional pam_krb5.so use_kcminit
auth optional pam_krb5.so default_principal
There should be no need to restart. If all went well the next time you log in via SSH you should receive a TGT. You can view Kerberos credentials by using the klist command. If you’re only bound to Open Directory and have everything set up correctly, you shouldn’t need to do this as the pam_krb5 module, by default, tries to obtain the principal from the user’s OpenDirectory record. By specifying the default_principal option you tell the module to construct the principal from the authenticating user’s username. Let me know in the comments if this worked for you or if have any questions!
Special thanks to my co-worker who helped me discover this.