The Kerberos subsystem has been included in macOS since its initial launch in March 2001. It has evolved along with macOS over time.
At Stanford your SUNetID is your Kerberos identity. They are one and the same.
The files for working with Kerberos are located in the folder /usr/bin. The primary binary files are:
- The command to authenticate to the Kerberos system: /usr/bin/kinit <SUNetID>. This is also referred to as “acquiring a TGT or ticket-granting ticket."
- The command to display currently held TGTs: /usr/bin/klist.
- The command to delete current TGTs: /usr/bin/kdestroy.
- The command to change your Kerberos password, /usr/bin/kpasswd, is included in the Apple Kerberos system but is not used at Stanford. To change your Kerberos password go to Account Manager.
Kerberos is configured for Stanford in a file that is user-installed in /Library/Preferences/edu.mit.Kerberos. It's a somewhat non-standard file name that has been a part of macOS since the beginning. Learn more about Kerberos on macOS and Kerberos at Stanford.
How to work with Kerberos
There are two methods for working with Kerberos authentication on macOS:
- The traditional method of working from the command line in Terminal.app
- Using the included, but hard to find, Ticket Viewer.app.
Both methods can be used for the basic tasks of authentication to Kerberos.
This document describes the basic Kerberos-related tasks on both of those tools.
This is the traditional method for managing Kerberos credentials, because Kerberos pre-dates most modern graphical operating systems. Each of the four commands listed in the Overview above are manually entered into a terminal window and executed.
Ticket Viewer.app instructions
This app is part of the Kerberos subsystem that is included in macOS by Apple. It can be found at: /System/Library/CoreServices/Ticket\ Viewer.app
Ticket Viewer is a graphical user interface for the Kerberos system and features buttons for each of the four commands listed in the Overview above. A Ticket Viewer shortcut can be added to the Dock by dragging the app from Finder to the desired location on the Dock. When launched, the user is presented with this view:
To authenticate (obtain a TGT) click the Add Identity button. A drop-down dialog box for entering your SUNetID and password is displayed.
After successful authentication you will see the SUNetID and an expiration date/time.
Auristor AFS client instructions
If the Auristor AFS client for Mac is installed, there will be an addition to System Preferences. This Preference Pane contains options and controls for managing and using Kerberos as well as AFS.
When you launch the Preference Pane you will be presented with this screen:
To use this Preference Pane to manage Kerberos, select the checkboxes for Backgrounder and Use aklog.
Select the Get new Token button to display a Kerberos authentication dialog box. Enter your SUNetID and Password and an entry will be displayed in the Tokens List.
At this point you have successfully acquired a Kerberos TGT as well as an AFS token.