This is how I setup Kerberos authentication on a macOS machine. I mostly use it to mount CIFS/SMB shares and connect to SQL Servers.
Authenticating to a Kerberos server in a Windows domain is also know as Integrated Authentication or Windows Authentication.
Kerberos is built-in on macOS, and /etc/krb5.conf is its configuration file, see krb5.conf(5). Here is a minimal example of authenticating to an Active Directory Domain Controller DC1.EXAMPLE.COM in the EXAMPLE.COM domain:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = DC1.EXAMPLE.COM
}
It is very important that the domain is ALL CAPS.
To authenticate, i.e. receive a ticket granting ticket, type:
$ kinit --keychain username@EXAMPLE.COMAgain, domain must be ALL CAPS. This will save the principal and password to the keychain, so hereafter
kinit can be called without arguments.
Kerberos tickets typically expire after 10 hours; they are refreshed whenever kinit is called. The current tickets and their expiration can be listed by klist.
I learned the --keychain argument from a superuser; it is currently not documented in kinit(1).
Kerberos in Google Chrome on macOS
defaults write com.google.Chrome AuthServerAllowlist "*.example.com" defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.example.com"
The current policies, can be viewed at chrome://policy, are written to ~/Library/Preferences/com.google.Chrome.plist, and documented in the Chrome Enterprise policy list.