- Make sure you have the latest krb5.conf installed
- krb5.conf for Linux systems
- krb5.conf for Mac OS X 10.7 and later systems
- Fermilab Kerberos Configuation Templates
- Also availabe in the krb5-fermi-config or in krb5-fermi-krb5.conf packages
- If you are running or planning to run OSX Yosemite before it is approved at Fermilab
- Make sure you have the latest krb5.conf file installed (see above)
- Change your Kerberos password on an updated Linux system that supports the newer encryption types (such as FNALU) before installing Yosemite
- If you didn't - find a non-Yosemite OSX system or an updated Linux system where you can change your password such as FNALU
- SSH access from a Yosemite system to a Linux system will fail unless the system administrator of the Linux system has updated the Kerberos keytabs. (KB0011430)
- If running Ubuntu with Heimdal Kerberos and see an md5 error message (kinit: krb5_get_init_creds: Checksum type rsa-md5-des is keyed, but the key type des-cbc-crc passed didnt have that checksum type as the keyed type) - either
- Change your password (requires a MIT based kpasswd) or
- Install the MIT Kerberos Client
- sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
- and install the latest krb5.conf file from the web
- It is recommended that you run kpasswd on a Linux system (FNALU is available as a general purpose Linux system) to change your Kerberos password. If you are using a Macintosh, you will probably need to wait at least 20 minutes after changing your password for the change to propogate to all the Slave KDCs or your kinit might fail due attempting to get credentials from a Slave KDC which still has the old password. This is not so much a consideration on Linux systems since kinit from MIT (used on the Linux systems) behaves differently with respect to Slave KDCs than does kinit from Heimdal used on the Mac.
- If you experience long login time to Linux machines, edit /etc/lrb5.conf to include these options (as of v5.1 of krb5.conf, these changes are in the default krb5.conf):
[appdefaults]
.....
krb4_get_tickets = false
.......
pam = {
......
krb4_get_tickets = false
.....
krb4_get_tickets = false
.......
pam = {
......
krb4_get_tickets = false
krb4_convert_524 = false
krb4_use_as_req = false
}
krb4_use_as_req = false
}