Kerberos Authentication on macOS

This is how I setup Kerberos authentication on a macOS machine. I mostly use it to mount CIFS/SMB shares and connect to SQL Servers.

Authenticating to a Kerberos server in a Windows domain is also know as Integrated Authentication or Windows Authentication.

Kerberos is built-in on macOS, and /etc/krb5.conf is its configuration file, see krb5.conf(5). Here is a minimal example of authenticating to an Active Directory Domain Controller DC1.EXAMPLE.COM in the EXAMPLE.COM domain:

  default_realm = EXAMPLE.COM

It is very important that the domain is ALL CAPS.

To authenticate, i.e. receive a ticket granting ticket, type:

$ kinit --keychain username@EXAMPLE.COM
Again, domain must be ALL CAPS. This will save the principal and password to the keychain, so hereafter kinit can be called without arguments.

Kerberos tickets typically expire after 10 hours; they are refreshed whenever kinit is called. The current tickets and their expiration can be listed by klist.

I learned the --keychain argument from a superuser; it is currently not documented in kinit(1).

Kerberos in Google Chrome on macOS

defaults write AuthServerWhitelist "*"
defaults write AuthNegotiateDelegateWhitelist "*"

The preferences are written to ~/Library/Preferences/ and documented in the Chrome Enterprise policy list.