Wikifications - User contributions [en]

Main Page

2017-02-18T23:18:02Z

Dre: Update site link for SSL

=== Hey, another wiki. Great! ===
Here, you will find things. You may notice that anonymous edits are firmly '''DISABLED'''. Yeah, THAT'S RIGHT. I am intentionally destroying the communal benefits that wiki was designed to provide. Why? I friggin hate spam, and my two previous wikis were consumed by friggin spambots. You may also notice that you can't create a user account. COPE! :) If you really want to contribute, please mail me at dreNOSPAMPLSKTHX@mac.com, and I'd be more than happy to let you in.

UPDATE: Even this one got spam-bombed. Note to self: use of 'one-click upgrades' are unlikely to migrate configuration file directives when the syntax changes.

Here is the page of [[User:Dre]], your esteemed information broker.

You may want to scope my other, less sandbox-like presence: https://dreness.com

=== Mac OS X ===
[[Parallels]] - Wrangling virtual machines!

[[Cool Apps]] - A list of applications that I've found useful / cool

[[TigerPage]] - This stuff is all specific to Mac OS X 10.4, Tiger. Some items discussed here:
*launchd
*dummynet

[[LKDC]]

=== IT Stuff ===
I once maintained a FreeBSD box in colo. Check out the page of [[meta]], where I have notes and instructions for the various services I was running.

Rebuilding [[floe]] from OpenBSD to FreeBSD.

[[Mac OS X Server]] stuff.

[[Net SNMP]] items.

=== Scripting / Development ===
[[Scripting]] - Here's where I keep a bunch of scripting snippets / examples. This includes:
*Basic shell scripting idioms (tests, loops, redirection)
*zsh profile elements
*AppleScript Droplet example
*Perl scripts

[[Useful Commands]] - Some useful and often Mac OS X specific commands. So far:
*Using dd to rescue data from a dying disk
*Encypted and growable disk images
*perl one-liner for global find / replace
*finding the input device idle time from ioreg

[[cocoa]]

[[php]] in OS X

[[bugzilla]] in OS X

[[phpbb]] in OS X

[[rrdtool]] builds without error in 10.3.9

(old) [[Panther DNS Issues]]

[[Installing and using unix software in userland]]

[[How to make and apply patches]]

[[How to compile other software using Macports libraries]]

=== Quick Reference Pages ===
[[irssi]] [[screen]] [[X11]] [[q3]] [[color escape sequences]] [[mysql]] [[wow]] [http://sial.org/howto/perl/life-with-cpan CPAN notes] [http://meta.wikimedia.org/wiki/Preventing_Access wikimedia security notes] [[vi]] [[apache]] [[iphone]] [[gnuplot]]

=== [[Network Stuff]] ===
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Streaming_your_iTunes_music_remotely iTunes Remote Streaming] details the process for using iTunes music sharing across a WAN.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#AS_.2F_Routing_Reserach AS / Routing Research] includes information about determining the number of discrete logical paths in and out of an Autonomous System (AS)
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#TCP_Timeouts_TCP_Timeouts TCP Timeouts] shows some sysctl configuration for adjusting TCP window sizes.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Xinetd.2C_ssh_and_netcat_xinetd.2C_ssh_and_netcat xinetd, ssh and netcat] is a xinetd configuration example showing how to use xinetd to trigger ssh / netcat on demand to encrypt pop3 traffic.

... and then of course, the requisite links to the mediawiki docs, hosted at wikipedia:

Please see [http://meta.wikipedia.org/wiki/MediaWiki_i18n documentation on customizing the interface]
and the [http://meta.wikipedia.org/wiki/MediaWiki_User%27s_Guide User's Guide] for usage and configuration help.

User talk:Dre

2017-02-18T22:55:21Z

Dre: Created page with "Nobody ever talks here..."

Nobody ever talks here...

Wow

2010-01-24T06:11:10Z

Dre: /* Macros */

=Macros=
(many of these are outdated)

==Druid==

'''innervate''''
#showtooltip
/cast Innervate
/script s, d, e = GetSpellCooldown("Innervate");
/script if (s==0) then if (d==0) then SendChatMessage("Innervate on %t!", nil); end; else print('cooldown?'); end

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/use 13
/use 14
/cast Nature's Swiftness
/cast Healing Wave

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

* in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

* in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

* or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it once to declare the function before you can use it. This function will let you more easily adjust the camera speed (less typing).
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

After running the above to declare the function, use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Screen

2009-10-01T16:27:47Z

Dre: added screen naming stuff

=== Basics ===

Control-a (C-a) is screen attention sequence and preceeds all screen commands. For example, to create a new screen window, type control-a, then c. To clarify even further: hold control, type a, release control, press c.

c = new window
k = kill current window
d = detach from screen
? = show online help

From outside of the screen session:
screen -R = reattach
screen -x = multi-attach

To set screen name at start time:
screen -S foo

To reattach to screen with given name:
screen -x foo

=== caption and hardstatus ===
I use the following with Terminal's color scheme set to green on black:
caption always "%{Mk}%?%-Lw%?%{km}[%n*%f %t]%?(%u)%?%{mk}%?%+Lw%? %{mk}"
hardstatus alwayslastline "%{kW}%H %{kB}|%{km} %l %=%{km}%c:%s %D %M/%d/%Y "

=== Navigation ===
" = list window names, numbers, and flags
N = show current window number
A = set window name
' = specify name or number to switch to
space = next window
backspace = prev window
# = goto window number #
w = show window list in status bar
C-a = switch to most recent window

=== Split Windows ===
S = create split in current region
tab = move to next region
X = delete current region
Q = delete all but current region

=== Monitoring ===
M = toggle activity monitor notifications in status bar
_ = toggle INactivity monitor notification in status bar (e.g. for when something's done compiling)
m = recall last message displayed in status bar
C-g = toggle audio / visual bell
t = show time / load average

=== Scrollback / copy mode movement keys ===

[ = enter copy mode
h, j, k, l move the cursor line by line or column by column.
0, ^ and $ move to the leftmost column, to the first or last non-
whitespace character on the line.
H, M and L move the cursor to the leftmost column of the top, center
or bottom line of the window.
+ and - positions one line up and down.
G moves to the specified absolute line (default: end of buffer).
| moves to the specified absolute column.
w, b, e move the cursor word by word.
B, E move the cursor WORD by WORD (as in vi).
C-u and C-d scroll the display up/down by the specified amount of
lines while preserving the cursor position. (Default: half screen-
full).
C-b and C-f scroll the display up/down a full screen.
g moves to the beginning of the buffer.
% jumps to the specified percentage of the buffer.

===Pasteboard===
Paste the contents of the pasteboard
C-a ]

Read the /etc/passwd file into register p and paste it back out
C-a : readreg p /etc/passwd
C-a : paste p

Marking:
The copy range is specified by setting two marks. The text between
these marks will be highlighted. Press
space to set the first or second mark respectively.
Y and y used to mark one whole line or to mark from start of line.
W marks exactly one word.
Repeat count:
Any of these commands can be prefixed with a repeat count number by
pressing digits 0..9 which is taken as a repeat count.
Example: "C-a C-[ H 10 j 5 Y" will copy lines 11 to 15 into the
paste buffer.
Searching:
/ Vi-like search forward.
? Vi-like search backward.
C-a s Emacs style incremental search forward.
C-r Emacs style reverse i-search.
Specials:
There are however some keys that act differently than in vi. Vi
does not allow one to yank rectangular blocks of text, but screen
does. Press c or C to set the left or right margin respectively. If no repeat
count is given, both default to the current cursor position.
Example: Try this on a rather full text screen: "C-a [ M 20 l SPACE
c 10 l 5 j C SPACE".
This moves one to the middle line of the screen, moves in 20 col-
umns left, marks the beginning of the paste buffer, sets the left
column, moves 5 columns down, sets the right column, and then marks
the end of the paste buffer. Now try:
"C-a [ M 20 l SPACE 10 l 5 j SPACE"
and notice the difference in the amount of text copied.
J joins lines. It toggles between 4 modes: lines separated by a new-
line character (012), lines glued seamless, lines separated by a
single whitespace and comma separated lines. Note that you can
prepend the newline character with a carriage return character, by
issuing a "crlf on".
v is for all the vi users with ":set numbers" - it toggles the left
margin between column 9 and 1. Press
a before the final space key to toggle in append mode. Thus the con-
tents of the paste buffer will not be overwritten, but is appended
to.
A toggles in append mode and sets a (second) mark.
> sets the (second) mark and writes the contents of the paste buffer
to the screen-exchange file (/tmp/screen-exchange per default) once
copy-mode is finished.
This example demonstrates how to dump the whole scrollback buffer
to that file: "C-A [ g SPACE G $ >".
C-g gives information about the current line and column.
x exchanges the first mark and the current cursor position. You can
use this to adjust an already placed mark.
@ does nothing. Does not even exit copy mode.
All keys not described here exit copy mode.

=== Commands ===

Commands can exist in .screenrc or can be entered interactively with C-a, :

send the 'whoami' command to all screen windows simultaneously (\015 is octal for carriage return)
at \# stuff "whoami\015"

back to [[Main Page]]

Gnuplot

2009-09-08T18:21:14Z

Dre:

Basic x / y plot of data from a file in the form:

x1 y1
x2 y2
x3 y3

set ytic auto
set xtic auto
set title "iCal Server Queue Depth / Latency"
set xlabel "Queue Depth"
set ylabel "Latency"
plot "ical-queues.txt" using 1:1 title "Queue Depth" with lines
plot "ical-queues.txt" using 1:2 title "Latency" with lines

Gnuplot

2009-09-08T18:20:53Z

Dre: New page: Basic x / y plot of data from a file in the form: x1 y1 x2 y2 x3 y3 set ytic auto set xtic auto set title "iCal Server Queue Depth / Latency" set xlabel "Queue Depth" set ylabel ...

Basic x / y plot of data from a file in the form:

x1 y1
x2 y2
x3 y3

set ytic auto
set xtic auto
set title "iCal Server Queue Depth / Latency"
set xlabel "Queue Depth"
set ylabel "Latency"
plot "ical-queues.tx t" using 1:1 title "Queue Depth" with lines
plot "ical-queues.txt" using 1:2 title "Latency" with lines

Main Page

2009-09-08T18:19:51Z

Dre: /* Quick Reference Pages */

=== Hey, another wiki. Great! ===
Here, you will find things. You may notice that anonymous edits are firmly '''DISABLED'''. Yeah, THAT'S RIGHT. I am intentionally destroying the communal benefits that wiki was designed to provide. Why? I friggin hate spam, and my two previous wikis were consumed by friggin spambots. You may also notice that you can't create a user account. COPE! :) If you really want to contribute, please mail me at dreNOSPAMPLSKTHX@mac.com, and I'd be more than happy to let you in.

UPDATE: Even this one got spam-bombed. Note to self: use of 'one-click upgrades' are unlikely to migrate configuration file directives when the syntax changes.

Here is the page of [[User:Dre]], your esteemed information broker.

You may want to scope my other, less sandbox-like presence: http://www.dreness.com, or my tech blog: http://www.dreness.com/blog

=== Mac OS X ===
[[Parallels]] - Wrangling virtual machines!

[[Cool Apps]] - A list of applications that I've found useful / cool

[[TigerPage]] - This stuff is all specific to Mac OS X 10.4, Tiger. Some items discussed here:
*launchd
*dummynet

[[LKDC]]

=== IT Stuff ===
I once maintained a FreeBSD box in colo. Check out the page of [[meta]], where I have notes and instructions for the various services I was running.

Rebuilding [[floe]] from OpenBSD to FreeBSD.

[[Mac OS X Server]] stuff.

[[Net SNMP]] items.

=== Scripting / Development ===
[[Scripting]] - Here's where I keep a bunch of scripting snippets / examples. This includes:
*Basic shell scripting idioms (tests, loops, redirection)
*zsh profile elements
*AppleScript Droplet example
*Perl scripts

[[Useful Commands]] - Some useful and often Mac OS X specific commands. So far:
*Using dd to rescue data from a dying disk
*Encypted and growable disk images
*perl one-liner for global find / replace
*finding the input device idle time from ioreg

[[cocoa]]

[[php]] in OS X

[[bugzilla]] in OS X

[[phpbb]] in OS X

[[rrdtool]] builds without error in 10.3.9

(old) [[Panther DNS Issues]]

[[Installing and using unix software in userland]]

[[How to make and apply patches]]

[[How to compile other software using Macports libraries]]

=== Quick Reference Pages ===
[[irssi]] [[screen]] [[X11]] [[q3]] [[color escape sequences]] [[mysql]] [[wow]] [http://sial.org/howto/perl/life-with-cpan CPAN notes] [http://meta.wikimedia.org/wiki/Preventing_Access wikimedia security notes] [[vi]] [[apache]] [[iphone]] [[gnuplot]]

=== [[Network Stuff]] ===
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Streaming_your_iTunes_music_remotely iTunes Remote Streaming] details the process for using iTunes music sharing across a WAN.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#AS_.2F_Routing_Reserach AS / Routing Research] includes information about determining the number of discrete logical paths in and out of an Autonomous System (AS)
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#TCP_Timeouts_TCP_Timeouts TCP Timeouts] shows some sysctl configuration for adjusting TCP window sizes.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Xinetd.2C_ssh_and_netcat_xinetd.2C_ssh_and_netcat xinetd, ssh and netcat] is a xinetd configuration example showing how to use xinetd to trigger ssh / netcat on demand to encrypt pop3 traffic.

... and then of course, the requisite links to the mediawiki docs, hosted at wikipedia:

Please see [http://meta.wikipedia.org/wiki/MediaWiki_i18n documentation on customizing the interface]
and the [http://meta.wikipedia.org/wiki/MediaWiki_User%27s_Guide User's Guide] for usage and configuration help.

How to compile other software using Macports libraries

2009-07-17T00:05:39Z

Dre:

=How to compile other software using Macports libraries=
Audience: Beginner / Intermediate

==Introduction==

This document will attempt to illustrate how to use Macports to fulfill library dependencies of other software that has not been incorporated into Macports. Two examples will be covered here, representing two of the most common way that software is compiled. The first example will demonstrate how to compile a single C source file using gcc directly, linking and including the Macports libraries via the -L and -I gcc command line options. The second example will demonstrate how to link against Macports libraries when compiling software that uses the GNU autoconf system, in which case you do not run gcc directly, but instead pass arguments to the 'configure' script.

==Executive Summary and Cheat Sheet==

When using gcc, usually you want to add the following to the list of gcc command line arguments:
-I/opt/local/include -L/opt/local/lib

When using autoconf, you usually have a couple options:

1) populate the following environment variables with Macports paths, e.g.

export LDFLAGS='-L/opt/local/lib'
export CPPFLAGS='-I/opt/local/include'
export LD_LIBRARY_PATH=/opt/local/lib
export LD_INCLUDE_PATH=/opt/local/include

2) Pass the required paths as arguments to the configure script. Most configure scripts have specific options for defining the location of dependent libraries; run ./configure --help to see a list of the available options.

==Using Macports libraries with gcc==

In this first example, we will be compiling a simple program that exercises some basic functions of the GMP library, available here: http://gmplib.org/. Since gmp is available via Macports, begin by installing gmp:

sudo port install gmp

Next, we'll make a working directory and download the C source file we'll be compiling, located at http://silassewell.googlecode.com/svn/trunk/2008/10/18/gmp_hello_world/gmp_hello_world.c

mkdir ~/gmp-test
curl -O

Copy the code

Configuration

TODO

Optional Parts

TODO: What else can be done?

How to compile other software using Macports libraries

2009-07-16T18:12:20Z

Dre: New page: TODO: How to compile other software using Macports libraries Audience: Beginner Introduction This document will attempt to illustrate how to use Macports to fulfill library dependencies ...

TODO: How to compile other software using Macports libraries
Audience: Beginner

Introduction

This document will attempt to illustrate how to use Macports to fulfill library dependencies of other software that has not been incorporated into Macports. Two examples will be covered here, representing two of the most common way that software is compiled. The first example will demonstrate how to compile a single C source file using gcc directly, linking and including the Macports libraries via the -L and -I gcc command line options. The second example will demonstrate how to link against Macports libraries when compiling software that uses the GNU autoconf system, in which case you do not run gcc directly, but instead pass arguments to the 'configure' script.

Step 1: TODO: Step 1 title

TODO

Configuration

TODO

Optional Parts

TODO: What else can be done?

Main Page

2009-07-16T17:59:09Z

Dre: /* Scripting / Development */

=== Hey, another wiki. Great! ===
Here, you will find things. You may notice that anonymous edits are firmly '''DISABLED'''. Yeah, THAT'S RIGHT. I am intentionally destroying the communal benefits that wiki was designed to provide. Why? I friggin hate spam, and my two previous wikis were consumed by friggin spambots. You may also notice that you can't create a user account. COPE! :) If you really want to contribute, please mail me at dreNOSPAMPLSKTHX@mac.com, and I'd be more than happy to let you in.

UPDATE: Even this one got spam-bombed. Note to self: use of 'one-click upgrades' are unlikely to migrate configuration file directives when the syntax changes.

Here is the page of [[User:Dre]], your esteemed information broker.

You may want to scope my other, less sandbox-like presence: http://www.dreness.com, or my tech blog: http://www.dreness.com/blog

=== Mac OS X ===
[[Parallels]] - Wrangling virtual machines!

[[Cool Apps]] - A list of applications that I've found useful / cool

[[TigerPage]] - This stuff is all specific to Mac OS X 10.4, Tiger. Some items discussed here:
*launchd
*dummynet

[[LKDC]]

=== IT Stuff ===
I once maintained a FreeBSD box in colo. Check out the page of [[meta]], where I have notes and instructions for the various services I was running.

Rebuilding [[floe]] from OpenBSD to FreeBSD.

[[Mac OS X Server]] stuff.

[[Net SNMP]] items.

=== Scripting / Development ===
[[Scripting]] - Here's where I keep a bunch of scripting snippets / examples. This includes:
*Basic shell scripting idioms (tests, loops, redirection)
*zsh profile elements
*AppleScript Droplet example
*Perl scripts

[[Useful Commands]] - Some useful and often Mac OS X specific commands. So far:
*Using dd to rescue data from a dying disk
*Encypted and growable disk images
*perl one-liner for global find / replace
*finding the input device idle time from ioreg

[[cocoa]]

[[php]] in OS X

[[bugzilla]] in OS X

[[phpbb]] in OS X

[[rrdtool]] builds without error in 10.3.9

(old) [[Panther DNS Issues]]

[[Installing and using unix software in userland]]

[[How to make and apply patches]]

[[How to compile other software using Macports libraries]]

=== Quick Reference Pages ===
[[irssi]] [[screen]] [[X11]] [[q3]] [[color escape sequences]] [[mysql]] [[wow]] [http://sial.org/howto/perl/life-with-cpan CPAN notes] [http://meta.wikimedia.org/wiki/Preventing_Access wikimedia security notes] [[vi]] [[apache]] [[iphone]]

=== [[Network Stuff]] ===
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Streaming_your_iTunes_music_remotely iTunes Remote Streaming] details the process for using iTunes music sharing across a WAN.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#AS_.2F_Routing_Reserach AS / Routing Research] includes information about determining the number of discrete logical paths in and out of an Autonomous System (AS)
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#TCP_Timeouts_TCP_Timeouts TCP Timeouts] shows some sysctl configuration for adjusting TCP window sizes.
*[http://www.dreness.com/wikimedia/index.php?title=Network_Stuff#Xinetd.2C_ssh_and_netcat_xinetd.2C_ssh_and_netcat xinetd, ssh and netcat] is a xinetd configuration example showing how to use xinetd to trigger ssh / netcat on demand to encrypt pop3 traffic.

... and then of course, the requisite links to the mediawiki docs, hosted at wikipedia:

Please see [http://meta.wikipedia.org/wiki/MediaWiki_i18n documentation on customizing the interface]
and the [http://meta.wikipedia.org/wiki/MediaWiki_User%27s_Guide User's Guide] for usage and configuration help.

Scripting

2009-07-04T19:09:45Z

Dre: Added mail server testing scripts

==Theory==

====Redirection====

> Redirect standard output
2> Redirect standard error
2>&1 Redirect standard error to standard output
< Redirect standard input
| Pipe standard output to another command
>> Append to standard output
2>&1| Pipe standard output and standard error to another command
|& Same as above

====for loop====
for file in `ls`
do
mv $file $file.copy
done

====if statement====
if [ 1 = 1 ] ; then echo "yes" ; else echo "no" ; fi

====tests==== (for cli args):
if ( ! [ $1 ] || [ ! $2 ] ) ; then echo "yup" ; else echo "nope" ; fi

==Practice==
===Shell scripts===

====Mail Server Testing====
mailit.sh contains:
#!/bin/sh
# path comes in as only arg
BASE=`basename "$1"`
uuencode "$1" $BASE | mail -s $BASE user@domain.com

Then feed it some stuff...
find / -name "*.jpg" -print -exec ./mailit.sh {} \;

====Disk Stats====
(zsh, all one line)
x=0 ; df -t hfs,afpfs | grep "/" | awk '{print $2}' | sed 's/G//g' | while read line ;\
do x=($line + $x); done ; echo "($x) / 1024 / 1024 / 2" | bc

====Get console idle time====
echo $((`ioreg -c IOHIDSystem | sed -e '/HIDIdleTime/ !{ d' -e 't' -e '}' -e 's/.* = //g' -e 'q'` / 1000000000))

====Sort all processes in ascending order by process priority====
ps auxwwl | tr -s ' ' | cut -d' ' -f14,17-30 | sort -n

====Conditional line printing====
The following prints only users with UID greater than 500
dscl . -list /users uid UniqueID | awk '$2 > 500 { print $1 }'

Or the same thing with perl, using the autosplit feature, -a
dscl . -list /users UniqueID | perl -nae 'print "$F[0]\n" if $F[1] > 500;'

Or the same thing again with perl, using regex:
dscl . -list /users UniqueID | perl -ne '$stuff = /^(\w*?)\s*?(\d*?)$/ ; if ( $2 > 500) { print "$1 $2\n" }'

====Profile elements====
The following can be used in a .zshrc or equivalent

=====Dynamic Terminal Window Titles=====
case $TERM in
vt100*)
precmd () {print -Pn "\e]0;%n@%m: %~\a"}
;;
esac

=====Fancy prompt=====
PS1="$(print '%{\e[;31m%}%n%{\e[;0m%}@%{\e[;30m%}%m%{\e[0;37m%}[%~]%{\e[0m%}% ')"

=====Fancy aliases=====
alias yak="yak -Pn \"\e]0;.o0 yak 0o.\a\" ; ssh yak"

====Network Connectivity Notifications====
<pre>
#!/bin/sh
# Ping an IP and do sound effects when our connection state changes.
# Get PlayBufferedSoundFile here: http://www.snoize.com/Code/PlayBufferedSoundFile.tar.gz
target='12.116.25.9'
status='online'
oldstatus='online'
while true
now=`date`
echo "$now = $status"
if [[ $status != $oldstatus ]]
then if [[ $status == "online" ]]
then ~/bin/PlayBufferedSoundFile ~/Documents/sounds/frostnova.aif
else ~/bin/PlayBufferedSoundFile ~/Documents/sounds/cs.aif
fi
fi
oldstatus="$status"
sleep 3
do ping -t1 -c1 -n $target>/dev/null 2>&1 && status="online"||status="offline"
done
</pre>.
===AppleScript===
====Droplet====
on open some_items

display dialog "Where to, hoss?" buttons {"docroot", "bits", "public_html"} default button "bits"
set theButton to the button returned of the result

if theButton = "bits" then
set dest to "andre@dreness.com:/home/websites/dreness/bits"
else if theButton = "docroot" then
set dest to "andre@dreness.com:/home/websites/dreness"
else if theButton = "public_html" then
set dest to "andre@dreness.com:~/public_html"
else
display dialog "no valid choices!"
end if

repeat with this_item in some_items
try
do shell script "scp " & quoted form of the POSIX path of this_item & " " & quoted form of dest
end try
end repeat
end open

===Perl===
====QTSS Stats====
#!/usr/bin/perl -w
# This is a tiny script to parse QTSS's server_status to provide a running output of
# statistics that is extremely low overhead. Refresh is every 10 seconds,
# since that is how often the server_status file is updated by the server
# 8/2/03, dre@mac.com
#full path of server_status file
$statsfile = "/Library/QuickTimeStreaming/Logs/server_status";
while (1) {
open(STATS, "$statsfile");
while ($line = <STATS>) {
if ($line =~ /<key>(.*?)<\/key>/) {
$storein = "$1";
} elsif ($storein) {
$line =~ /<string>(.*?)<\/string>/;
$dss_stats{"$storein"} = "$1";
undef $storein;
};
};
print `date`;
print "Total RTP connections: $dss_stats{qtssRTPSvrTotalConn}\n";
print "Current RTSP / HTTP connections: $dss_stats{qtssRTSPHTTPCurrentSessionCount}\n";
print "Current RTP connections: $dss_stats{qtssRTPSvrCurConn}\n";
$rtp_kbits = sprintf("%.2f", ($dss_stats{qtssRTPSvrCurBandwidth} / 1000));
$rtp_mbits = sprintf("%.2f", ($rtp_kbits / 1000));
print "Current RTP bandwidth $rtp_kbits Kbit/s ($rtp_mbits Mbit/s)\n";
print "Current RTP packets: $dss_stats{qtssRTPSvrCurPackets}\n";
$rtp_bytes = $dss_stats{qtssRTPSvrTotalBytes};
$rtp_megs = ($dss_stats{qtssRTPSvrTotalBytes} / 1024 / 1024);
$rtp_megs = sprintf("%.2f", $rtp_megs);
$rtp_gigs = ($rtp_megs / 1024);
$rtp_gigs = sprintf("%.2f", $rtp_gigs);
print "Total RTP bytes transfered: $rtp_bytes ($rtp_megs MB, $rtp_gigs GB)\n";
close(STATS);
print "\n";
sleep 10;
};

====SSH Tunnel Watcher====
#!/usr/bin/perl
if ( `ps x | grep "ssh -L 2501:local:25" | grep -v grep` ) {
print "local mail ssh tunnel running okay! n";
} else {
print "reloading... n";
system("ssh -L 2501:local:25 -f -N local");
};
if ( `ps x | grep "ssh -L 2500:local:2501" | grep -v grep` ) {
print "public mail ssh tunnel running okay! n";
} else {
print "reloading... n";
system("ssh -L 2500:local:2501 -f -N -g local");
};

Useful Commands

2009-06-21T00:54:02Z

Dre: added mailit script

==== Rsync ====
Use it just like scp for maximum ease! We will add the -avz flags for
-a = archive, preserve metadata
-v = verbose
-z = use compression (most useful across slow network links)
-P = 'partial' mode; stores partially transfered files so you can resume if needed

The following copies the local directory /some/stuff into a directory called 'stuff' in the user's home dir on the remote host.
rsync -avzP /some/stuff user@remote.host:stuff

To go in the other direction, use the form:
rsync -avP user@host.com:'/dir/1 /dir/2' /local/path

====Data rescue====
Have a dying disk? Better get the data off before it's too late! disk1 is the culprit in this example.
dd conv=noerror,sync if=/dev/disk1 of=/Volumes/whatever/backup.dmg

====Zip files with resource forks====
ditto -c -k --keepParent aFolder aFolder.zip

====Encrypted and growable (sparse) disk image====
(-size specifies max growth)
hdiutil create dmg_name -size 1g -encryption -type SPARSE -fs HFS+ -volname Vault

====Global find / replace====
perl -pi -e 's/foo/bar/g' file
perl -pi -e 's/mandir=\'\${prefix}\/man\'/mandir=\'\${prefix}\/share\/man\'/g' configure

====Disk Stats==== (zsh)
echo -n "Sum of all HFS and AFP volumes in gigs: " ; x=0 ; df -t hfs,afpfs | grep "/" \
| awk '{print $2}' | sed 's/G//g' | while read line ; do x=($line + $x); done ; echo "($x) / 1024 / 1024 / 2" | bc

====Get console idle time====
echo $((`ioreg -c IOHIDSystem | sed -e '/HIDIdleTime/ !{ d' -e 't' -e '}' -e 's/.* = //g' -e 'q'` / 1000000000))

====System Tuning====
Any of these can be set manually with:
sudo sysctl -w sysctl.key=value

Place the following in /etc/sysctl.conf and reboot to boost your limits
# values increased by 2x over defaults
kern.maxfiles=24576
kern.maxfilesperproc=20480
kern.maxprocperuid=200
kern.maxproc=1064

====debugging / hidden preferences====
=====iChat Logging=====
defaults write com.apple.iChat Log YES
defaults write com.apple.iChat Log.SecureIM YES
defaults write com.apple.iChatAgent Log YES
defaults write com.apple.iChatAgent Log.SecureIM YES
/Applications/iChat.app/Contents/MacOS/iChat -errorLogLevel 7

=====Mail logging=====
/Applications/Mail.app/Contents/MacOS/Mail -LogActivityOnHost bar.company.com

=====Screen Saver=====
defaults -currentHost write com.apple.screensaver askForPassword -boolean true
defaults -currentHost write com.apple.screensaver moduleName -string foo
defaults -currentHost write com.apple.screensaver modulePath -string "~/Library/Screen Savers/foo.saver"

====Mail Server Testing====
Use this to generate a bunch of messages with attachments.

find / -name "*.jpg" -print -exec ./mailit.sh {} \;

with mailit.sh containing the following. Edit the email address as needed.

#!/bin/sh
# path comes in as only arg
BASE=`basename "$1"`
uuencode "$1" $BASE | mail -s $BASE netuser1@server100.4952

Wow

2009-05-03T21:16:02Z

Dre: removed old content

=Macros=
(many of these are outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/use 13
/use 14
/cast Nature's Swiftness
/cast Healing Wave

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

* in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

* in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

* or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it once to declare the function before you can use it. This function will let you more easily adjust the camera speed (less typing).
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

After running the above to declare the function, use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Wow

2009-05-03T20:41:10Z

Dre: /* Camera Control */

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE: 8 -10-53]

PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP: 0-20-51]

Pure arena build, includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto. More crit than the 8 / 10 / 53 build. No mana tide.

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

* in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

* in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

* or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it once to declare the function before you can use it. This function will let you more easily adjust the camera speed (less typing).
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

After running the above to declare the function, use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Wow

2009-05-03T20:39:03Z

Dre: /* Camera Control */

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE: 8 -10-53]

PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP: 0-20-51]

Pure arena build, includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto. More crit than the 8 / 10 / 53 build. No mana tide.

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

* in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

* in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

* or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it in before you can use the function. The idea is that this function will let you easily adjust the speed using a short-hand.
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

Use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Wow

2009-05-03T20:38:38Z

Dre: added camera control

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE: 8 -10-53]

PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP: 0-20-51]

Pure arena build, includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto. More crit than the 8 / 10 / 53 build. No mana tide.

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

=Videography=

==Camera Control==

Nice camera moves are best achieved by the game itself, as it's basically impossible to match the smooth motion curves with any sort of human input device. One way to do this is to use the camera presets. By default, the speed at which the camera moves between presets is pretty quick - good for in-game use, but not good for cinematic purposes. You can adjust the camera movement speed by altering the time duration of the transition, using a couple of cvars. They are:

cameraSmoothTimeMax
cameraSmoothTimeMin

# in a slash command context:
/console SET cameraSmoothTimeMax 15.0
/console SET cameraSmoothTimeMin 15.0

# in a script context:
SetCVar("cameraSmoothTimeMax","15")
SetCVar("cameraSmoothTimeMin","15")

# or you can set both at once using a function for ease-of-use. You'd need to slap this in a macro (or some existing mod) then execute it in before you can use the function. The idea is that this function will let you easily adjust the speed using a short-hand.
/script function cam(s) SetCVar("cameraSmoothTimeMax",s) SetCVar("cameraSmoothTimeMin",s) end

Use the function as shown below. 10 is the duration of the camera preset transition in seconds, but it can be whatever you want. Awesome for videos :)
/script cam(10)

Screen

2009-02-28T09:18:13Z

Dre: added C-a ] for normal paste

=== Basics ===

Control-a (C-a) is screen attention sequence and preceeds all screen commands. For example, to create a new screen window, type control-a, then c. To clarify even further: hold control, type a, release control, press c.

c = new window
k = kill current window
d = detach from screen
? = show online help

From outside of the screen session:
screen -R = reattach
screen -x = multi-attach

=== caption and hardstatus ===
I use the following with Terminal's color scheme set to green on black:
caption always "%{Mk}%?%-Lw%?%{km}[%n*%f %t]%?(%u)%?%{mk}%?%+Lw%? %{mk}"
hardstatus alwayslastline "%{kW}%H %{kB}|%{km} %l %=%{km}%c:%s %D %M/%d/%Y "

=== Navigation ===
" = list window names, numbers, and flags
N = show current window number
A = set window name
' = specify name or number to switch to
space = next window
backspace = prev window
# = goto window number #
w = show window list in status bar
C-a = switch to most recent window

=== Split Windows ===
S = create split in current region
tab = move to next region
X = delete current region
Q = delete all but current region

=== Monitoring ===
M = toggle activity monitor notifications in status bar
_ = toggle INactivity monitor notification in status bar (e.g. for when something's done compiling)
m = recall last message displayed in status bar
C-g = toggle audio / visual bell
t = show time / load average

=== Scrollback / copy mode movement keys ===

[ = enter copy mode
h, j, k, l move the cursor line by line or column by column.
0, ^ and $ move to the leftmost column, to the first or last non-
whitespace character on the line.
H, M and L move the cursor to the leftmost column of the top, center
or bottom line of the window.
+ and - positions one line up and down.
G moves to the specified absolute line (default: end of buffer).
| moves to the specified absolute column.
w, b, e move the cursor word by word.
B, E move the cursor WORD by WORD (as in vi).
C-u and C-d scroll the display up/down by the specified amount of
lines while preserving the cursor position. (Default: half screen-
full).
C-b and C-f scroll the display up/down a full screen.
g moves to the beginning of the buffer.
% jumps to the specified percentage of the buffer.

===Pasteboard===
Paste the contents of the pasteboard
C-a ]

Read the /etc/passwd file into register p and paste it back out
C-a : readreg p /etc/passwd
C-a : paste p

Marking:
The copy range is specified by setting two marks. The text between
these marks will be highlighted. Press
space to set the first or second mark respectively.
Y and y used to mark one whole line or to mark from start of line.
W marks exactly one word.
Repeat count:
Any of these commands can be prefixed with a repeat count number by
pressing digits 0..9 which is taken as a repeat count.
Example: "C-a C-[ H 10 j 5 Y" will copy lines 11 to 15 into the
paste buffer.
Searching:
/ Vi-like search forward.
? Vi-like search backward.
C-a s Emacs style incremental search forward.
C-r Emacs style reverse i-search.
Specials:
There are however some keys that act differently than in vi. Vi
does not allow one to yank rectangular blocks of text, but screen
does. Press c or C to set the left or right margin respectively. If no repeat
count is given, both default to the current cursor position.
Example: Try this on a rather full text screen: "C-a [ M 20 l SPACE
c 10 l 5 j C SPACE".
This moves one to the middle line of the screen, moves in 20 col-
umns left, marks the beginning of the paste buffer, sets the left
column, moves 5 columns down, sets the right column, and then marks
the end of the paste buffer. Now try:
"C-a [ M 20 l SPACE 10 l 5 j SPACE"
and notice the difference in the amount of text copied.
J joins lines. It toggles between 4 modes: lines separated by a new-
line character (012), lines glued seamless, lines separated by a
single whitespace and comma separated lines. Note that you can
prepend the newline character with a carriage return character, by
issuing a "crlf on".
v is for all the vi users with ":set numbers" - it toggles the left
margin between column 9 and 1. Press
a before the final space key to toggle in append mode. Thus the con-
tents of the paste buffer will not be overwritten, but is appended
to.
A toggles in append mode and sets a (second) mark.
> sets the (second) mark and writes the contents of the paste buffer
to the screen-exchange file (/tmp/screen-exchange per default) once
copy-mode is finished.
This example demonstrates how to dump the whole scrollback buffer
to that file: "C-A [ g SPACE G $ >".
C-g gives information about the current line and column.
x exchanges the first mark and the current cursor position. You can
use this to adjust an already placed mark.
@ does nothing. Does not even exit copy mode.
All keys not described here exit copy mode.

=== Commands ===

Commands can exist in .screenrc or can be entered interactively with C-a, :

send the 'whoami' command to all screen windows simultaneously (\015 is octal for carriage return)
at \# stuff "whoami\015"

back to [[Main Page]]

Useful Commands

2009-01-31T21:26:58Z

Dre: added -P for partials

Wow

2008-12-23T20:32:34Z

Dre: /* Talent Builds */ formatting

Wow

2008-12-23T20:31:56Z

Dre: /* Talent Builds */ formatting

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE 8 / 10 / 53]

PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP 0 / 20 / 51]

Pure arena build, includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto. More crit than the 8 / 10 / 53 build. No mana tide.

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

Wow

2008-12-23T20:31:18Z

Dre: /* Talent Builds */

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE]

8 / 10 / 53
PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP]
0 / 20 / 51
Pure arena build, includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto. More crit than the 8 / 10 / 53 build. No mana tide.

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

Wow

2008-12-23T20:28:22Z

Dre: /* Talent Builds */

=Talent Builds=
* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP / PVE]

8 / 10 / 53
PVP focus with some PVE utility; no mana tide, has elemental warding, instant ghost wolf, improved shields

* [http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP]
0 / 20 / 51
Pure PVP build includes improved shields, shamanistic focus, guardian totems and 2 / 5 toughness, with 2 points shaved from the top end of Resto

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

Wow

2008-12-23T19:49:21Z

Dre: Added talent builds section, link to pvp build

=Talent Builds=
[http://www.worldofwarcraft.com/info/classes/shaman/talents.html?tal=050300000000000000000000005002300000000000000000000050035331001013550120331251 Resto Shaman PVP]

=Macros=
(these are all outdated)

==Offensive==

"castsequence" is a great new addition to the macro language that lets you assign a sequence of things to a single key. Each press (after the global cooldown) gets you the next item in the list. When you hit the end, it automatically wraps back around. I also add a reset timer so that it jumps back to the beginning, because mana spring doesn't last as long as the others, so I typically have to re-cast it more often. Also, the /shift means that reset is triggered after 25 seconds, or if I shift-click the macro button (allowing me to bypass the 25 second timer if I need to).

'''cast'''
/castsequence reset=25/shift Mana Spring Totem, Wrath of Air Totem, Totem of Wrath, Strength of Earth Totem

'''mele'''
/castsequence reset=25/shift Grace of Air Totem, Strength of Earth Totem, Healing Stream Totem, Totem of Wrath

Adding a [button:2] clause acts as a conditional that is only true if the macro was invoked with (in this case) a right-click. Depending on your mouse, you may also have additional buttons (3, 4, 5). I right-click for a rank 1 when I want to do is get the secondary effect of the spell (e.g. slow target, prevent stealth, interrupt spells, reveal stealthed players in mele range) without spending a lot of mana.

'''frs'''
/cast [button:2] Frost Shock(Rank 1) ; Frost Shock

'''fls'''
/cast [button:2] Flame Shock(Rank 1) ; Flame Shock

'''es'''
/cast [button:2] Earth Shock(Rank 1) ; Earth Shock

'''magma'''
/cast [button:2] Magma Totem(Rank 1) ; Magma Totem

'''flash'''
/castsequence reset=10 Flametongue Weapon, Frostbrand Weapon

This one's silly... looks sorta cool to just spam it while running around town, but it's also a useful toggle when your target is immune to either flame or frost damage. As an ele shaman, you probably want flametongue by default as it gets your +spell damage.

'''chain'''
/cast [help, combat, button:2] Chain Heal; [help, nocombat, button:2] Chain Heal;
[target=targettarget, help, combat, button:2] Chain Heal;
[target=player, button:2] Chain Heal; Chain Lightning

This is used for either a chain lightning or a chain heal. Normal click is chain lightning, but a right click gives it a hw like behavior (see below), but with chain heal instead of healing wave.

==Defensive==

'''clean'''
/castsequence reset=shift Poison Cleansing Totem, Disease Cleansing Totem

'''def'''
/castsequence reset=15/shift Grounding Totem, Tremor Totem, Healing Stream Totem, Totem of Wrath

'''hold'''
/castsequence reset=15/shift Earthbind Totem, Grounding Totem, Searing Totem

'''resist'''
/castsequence reset=20/shift Nature Resistance Totem, Frost Resistance Totem, Fire Resistance Totem, Stoneskin Totem

'''hw'''
/cast [button:2] Nature's Swiftness; [help, combat] Healing Wave; [help, nocombat] Healing Wave;
[target=targettarget, help, combat] Healing Wave; [target=player] Healing Wave
I like this one a lot, but can't take credit for writing it, though I did add the NS bit. Right click it to proc Nature's Swiftness; left-click does one of the following: If your target is friendly, heal it (whether in combat or not). If your target's target is friendly and you are in combat, heal your target's target. This is the key clause here; it allows you to dps a target and also heal the target's target (e.g. your tank or yourself) without changing your own target first. Finally, if none of the above is true, heal yourself. To get a fast heal, do a rapid right-click left-click... works great, and is so fast that nobody would have time to dispell the NS before the big heal pops.

'''lhw'''
/cast [help, combat] Lesser Healing Wave; [help, nocombat] Lesser Healing Wave;
[target=targettarget, help, combat] Lesser Healing Wave; [target=player] Lesser Healing Wave

Same as above, but with lesser healing wave and without NS.

'''st-hl'''
/cast War Stomp
/target Jindi
/cast Healing Wave
Normally I just use this for war stomp, but if I want a big heal after that, just keep pressing...

'''t-heal'''
This is a big insta-heal with both trinkets
/stopcasting
/use 13
/stopcasting
/use 14
/stopcasting
/cast Nature's Swiftness
/stopcasting
/cast Healing Wave

==Misc==
A nice context-sensitive mount macro
/cast [Stance:1] Ghost Wolf
/cast [combat,nomounted,outdoors] Nature's Swiftness
/stopcasting
/use [flyable,nomounted] Blue Windrider
/use [noflyable,nomounted,outdoors] Black War Kodo
/cast [combat,nomounted,outdoors] Ghost Wolf
/dismount

Mac OS X Server

2008-08-04T18:23:15Z

Dre: /* Disabling Automounts */

== Administration Tricks ==
You can closely examine some of the server manager data by making an https connection with your browser to an URL in the form:

https://host:311/servermgr_info.html

Authenticate as an admin.

== Disabling Automounts ==
Add the following to /etc/auto_master

/Network/Servers -null
/Network/Applications -null
/Network/Library -null

Mac OS X Server

2008-08-04T18:22:49Z

Dre: /* Disabling Automounts */

== Administration Tricks ==
You can closely examine some of the server manager data by making an https connection with your browser to an URL in the form:

https://host:311/servermgr_info.html

Authenticate as an admin.

== Disabling Automounts ==
/Network/Servers -null
/Network/Applications -null
/Network/Library -null

Mac OS X Server

2008-08-04T18:22:37Z

Dre: /* Administration Tricks */

== Administration Tricks ==
You can closely examine some of the server manager data by making an https connection with your browser to an URL in the form:

https://host:311/servermgr_info.html

Authenticate as an admin.

== Disabling Automounts ==
/Network/Servers -null
/Network/Applications -null
/Network/Library -null

Apache

2008-07-15T18:52:19Z

Dre: added mysql auth bits

start with apachectl startssl

o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can
use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to
sign other servers or clients. When you sign clients with it (for
SSL client authentication) you can configure this file with the
'SSLCACertificateFile' directive.
o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our own CA) which later can replace the conf/ssl.crt/server.crt
file.

Some useful apache directives for tweaking the autoindex pages. Scalable column width and reverse sort by date.

IndexOptions NameWidth=*
IndexOrderDefault Descending Date

back to [[meta]]

== MYSQL Authentication Sample ==
Uses mod_auth_mysql:

AuthName 'Administrator Login'
AuthType basic
AuthMySQLEnable On
AuthMySQLHost sql.dubstep.fm
AuthMySQLUser ****
AuthMySQLPassword ****
AuthMySQLDB dubstep_main
AuthMySQLUserTable jos_users
AuthMySQLNameField username
AuthMySQLPasswordField password
AuthMySQLGroupField gid
AuthMySQLPwEncryption md5
require group 25 31

LKDC

2008-06-03T06:05:51Z

Dre: typo

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos service principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The Kerberos v5 spec (rfc 1510) assumes and requires that the server name portion of a kerberos principal be just that: a server name (or address). To wit:
<pre>7.2.1. Name of server principals

The principal identifier for a server on a host will generally be
composed of two parts: (1) the realm of the KDC with which the server
is registered, and (2) a two-component name of type NT-SRV-HST if the
host name is an Internet domain name or a multi-component name of
type NT-SRV-XHST if the name of the host is of a form such as X.500
that allows slash (/) separators. The first component of the two- or
multi-component name will identify the service and the latter
components will identify the host. Where the name of the host is not
case sensitive (for example, with Internet domain names) the name of
the host must be lower case. For services such as telnet and the
Berkeley R commands which run with system privileges, the first
component will be the string "host" instead of a service specific
identifier.</pre>
Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it is not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://crpit.com/confpapers/CRPITV26Pirzada2.pdf Kerberos assisted Authentication in Mobile Ad-hoc Networks. Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

* http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.383 Distributed Authentication in Kerberos Using Public Key Cryptography. This document from 1997 describes how a PKI might be used to perform distributed authentication using Kerberos. This implementation eliminates the need for a centralized KDC (instead relying on a centralized certificate authority), although does not deal with dynamic peer discovery in an ad hoc networking context.

LKDC

2008-05-15T00:49:59Z

Dre: Added quote of kerberos spec

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos service principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The Kerberos v5 spec (rfc 1510) assumes and requires that the server name portion of a kerberos principal be just that: a server name (or address). To wit:
<pre>7.2.1. Name of server principals

The principal identifier for a server on a host will generally be
composed of two parts: (1) the realm of the KDC with which the server
is registered, and (2) a two-component name of type NT-SRV-HST if the
host name is an Internet domain name or a multi-component name of
type NT-SRV-XHST if the name of the host is of a form such as X.500
that allows slash (/) separators. The first component of the two- or
multi-component name will identify the service and the latter
components will identify the host. Where the name of the host is not
case sensitive (for example, with Internet domain names) the name of
the host must be lower case. For services such as telnet and the
Berkeley R commands which run with system privileges, the first
component will be the string "host" instead of a service specific
identifier.</pre>
Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://crpit.com/confpapers/CRPITV26Pirzada2.pdf Kerberos assisted Authentication in Mobile Ad-hoc Networks. Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

* http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.383 Distributed Authentication in Kerberos Using Public Key Cryptography. This document from 1997 describes how a PKI might be used to perform distributed authentication using Kerberos. This implementation eliminates the need for a centralized KDC (instead relying on a centralized certificate authority), although does not deal with dynamic peer discovery in an ad hoc networking context.

LKDC

2008-05-14T00:20:43Z

Dre: Added link to Distributed Authentication in Kerberos Using Public Key Cryptography

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://crpit.com/confpapers/CRPITV26Pirzada2.pdf Kerberos assisted Authentication in Mobile Ad-hoc Networks. Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

* http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.383 Distributed Authentication in Kerberos Using Public Key Cryptography. This document from 1997 describes how a PKI might be used to perform distributed authentication using Kerberos. This implementation eliminates the need for a centralized KDC (instead relying on a centralized certificate authority), although does not deal with dynamic peer discovery in an ad hoc networking context.

LKDC

2008-05-14T00:00:08Z

Dre: Moved link from ACM to crpit.org

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://crpit.com/confpapers/CRPITV26Pirzada2.pdf Kerberos assisted Authentication in Mobile Ad-hoc Networks. Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

LKDC

2008-05-13T23:57:35Z

Dre: Added link to ACM

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

* http://portal.acm.org/citation.cfm?id=979922.979928&coll=portal&dl=ACM Kerberos assisted Authentication in Mobile Ad-hoc Networks (requires a free account to view the full text). Here is an example of a Kerberos implementation designed for ad-hoc networks. Strangely enough, this is not a fully peer-to-peer implementation, and requires the existence of authentication servers other than the one hosting the service you wish to use. It also seems quite a bit more complex than apple's LKDC implementation.

LKDC

2008-05-13T23:46:32Z

Dre: Added link to shishi

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

* http://www.gnu.org/software/shishi/manual/html_node/Realm-and-Principal-Naming.html Nice detail on realm and principal names from a Kerberos implementation called Shishi (complaint with the Kerberos v5 spec).

LKDC

2008-05-13T21:52:04Z

Dre: /* Harnessing Authentication */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, AppleFileServer and smbd have their service principal names written into their respective configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T21:50:37Z

Dre: /* Harnessing Authentication */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of a service principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos service principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it running whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

On the service configuration end, afp and cifs have their service principal names written into their configuration files, while the vnc service does not (VNCPrivilegeProxy?).

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T21:35:09Z

Dre: /* Advertising and Discovering */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use (regular ol' unicast) DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T21:33:44Z

Dre: /* Advertising and Discovering */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
The mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T21:33:01Z

Dre: /* Standard Deviation */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks (via the private KerberosHelper framework). It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T21:25:45Z

Dre: /* Harnessing Authentication */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks. It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard methods for constructing the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T20:55:25Z

Dre: /* Standard Deviation */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. The discovery portion of the LKDC implementation only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks. It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T20:45:23Z

Dre: Added kinit user@LKDC example

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address). Also unlike most Kerberos deployments, the clients are not expected to maintain hard-coded references to other LKDCs, or any Kerberos client configuration at all for that matter (although it does continue to work if you have existing configuration).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this. It is important to note that all of the secure aspects of the authentication are performed in the standard Kerberos manner. The discovery and harness acts as a thin wrapper that only barely extends into the Kerberos layer. How far does it extend? Consider the following:
<pre>{15} andre@donk [~] % klist
klist: No Kerberos 5 tickets in credentials cache
{16} andre@donk [~] % cat /Library/Preferences/edu.mit.Kerberos
cat: /Library/Preferences/edu.mit.Kerberos: No such file or directory
{17} andre@donk [~] % cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
{18} andre@donk [~] % kinit andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
Please enter the password for andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B:
{19} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 13:32:39 05/13/08 23:32:37 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

The take-home point here is that as long as you know the realm / principal name, it's business as usual. The "look up KDC for realm" and "look up realm for KDC" functionality is integrated into the system's kerberos frameworks.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T19:45:17Z

Dre: /* configureLocalKDC */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and their corresponding keytabs, edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T12:36:53Z

Dre: /* configureLocalKDC */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (using kdcsetup, which also creates the directory services record), creates service principals and edits service config files for supported services, and installs a kerberos certificate into the system keychain. This is a pretty nice script, and is certainly worth a look. To give you an idea, consider the following data structure:

<pre> my %afp_config = (service => 'afpserver', realm => $LKDC_realm,
prefs => '/Library/Preferences/com.apple.AppleFileServer',
key => 'kerberosPrincipal', format => '%s/%s@%2$s');</pre>

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T12:13:52Z

Dre:

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
====NetAuthAgent====
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

====LKDCLocate====
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

====KerberosHelper====
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

====LKDCHelper====
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

====configureLocalKDC====
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (with kdcsetup), creates service principals and edits service config files for supported services, and installs a kerberos certificate into the system keychain.

==== VNCPrivilegeProxy====
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T12:11:56Z

Dre:

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

==configureLocalKDC==
/usr/libexec/configureLocalKDC is a perl script that creates the LKDC at installation time (with kdcsetup), creates service principals and edits service config files for supported services, and installs a kerberos certificate into the system keychain.

== VNCPrivilegeProxy==
/System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy - unsure exactly what this does.
<pre>{9} root@donk [Default/config] # strings /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Support/VNCPrivilegeProxy
__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
Starting Privilege Proxy
com.apple.RemoteDesktop.PrivilegeProxy
'%s' server already starting
bootstrap_check_in bootstrap_create_service() failed: status=%d
'%s' server already active
server_init bootstrap_check_in() failed: status=%d
server_init bootstrap_unprivileged() failed: status=%d
server_init task_set_bootstrap_port(): %s
mach_msg_server:
/Library/Preferences/com.apple.VNCSettings.txt
'2, /+0&7!4-)1#
80(
91)!
:2*"
;3+#>6.&
=5-%
<4,$</pre>

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T12:05:48Z

Dre: /* LKDCHelper */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

* /usr/libexec/configureLocalKDC - this is a perl script that creates the LKDC at installation time (with kdcsetup), including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T12:00:59Z

Dre:

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

Apple has overcome both of these challenges rather well, although the vast majority of the LKDC implementation should be considered 'private' - don't go building apps around this.

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

* /usr/libexec/configureLocalKDC - this is a perl script that creates the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T11:57:37Z

Dre: /* Using KerberosHelper */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf!)

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

* /usr/libexec/configureLocalKDC - this is a perl script that creates the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T11:56:50Z

Dre: /* Advertising and Discovering */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

Each Mac OS X system advertises its own LKDC. At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf)!

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

* /usr/libexec/configureLocalKDC - this is a perl script that creates the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.

LKDC

2008-05-13T11:49:18Z

Dre: /* Harnessing Authentication */

The local KDC in Leopard is pretty rad. In the absence of any real documentation, this page exists as a jumble of observations and theories.

==Positioning and Use in Leoaprd==
The Local KDC (LKDC) is a Kerberos implementation that extends "single sign-on" capabilities into ad-hoc networks. The LKDC supports the AFP, CIFS, and VNC services included in Mac OS X and Mac OS X Server. At the surface, the LKDC looks pretty much just like a regular Kerberos setup... you can log into one of the above named services and get Kerberos tickets, use standard tools like klist to manage tickets, use kadmin to administer the KDC, etc, etc. Some examples:

<pre>{3} andre@donk [~] % sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
3 vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{10} andre@donk [~] % sudo kadmin.local -q listprincs
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
K/M@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
afpserver/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
cifs/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/changepw@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/donk.local@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
kadmin/history@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
krbtgt/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
vnc/LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD</pre>

<pre>{13} andre@donk [~] % sudo kadmin.local -q 'get_principal andre'
Authenticating as principal andre/admin@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B with password.
Principal: andre@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Expiration date: [never]
Last password change: Sat May 10 21:43:57 PDT 2008
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sat May 10 21:43:57 PDT 2008 (root/admin@LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]</pre>

<pre>{106} andre@donk [~] % klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: andre@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B

Valid Starting Expires Service Principal
05/13/08 00:35:00 05/13/08 10:34:58 krbtgt/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58
05/13/08 00:35:00 05/13/08 10:34:58 vnc/LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B@LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
renew until 05/20/08 00:34:58</pre>

==Standard Deviation==
The crux of the LKDC implementation is the use of a SHA1 hash in place of the server name portion of a kerberos principal, effectively insulating Kerberos from dynamic network conditions. This significant re-definition of a kerberos principal is really cool, but also not standard. The standard kerberos libraries pretty much assume and require that the server name portion of a kerberos principal be just that: a server name (or IP address).

This presents two primary challenges:
* Advertising and discovering LKDC realm information in an ad-hoc, peer to peer context
* Harnessing the authentication process to construct the special kerberos principal and then handing it off to Kerberos

==Advertising and Discovering==
Not surprisingly, the mechanism used to advertise and discover LKDC information is multicast DNS, as it is very well suited to ad-hoc networks. In other more standard Kerberos deployments, it it not unusual to use DNS to discover Kerberos information in the absence of local configuration (see references at the bottom of the page), but with standard kerberos, the discovery is limited to realm name or KDC name. From the krb5.conf man page [libdefaults] section:

<pre> dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

dns_lookup_realm
Indicate whether DNS TXT records should be used to determine the Ker-
beros realm of a host. The default is not to use these records.</pre>

At some point during or after startup, the LKDC realm name is read from Directory Services, e.g.
dscl . -read /Config/KerberosKDC RealName
The LKDC realm name is then advertised in the txt portion of a multicast DNS record called _kerberos in the .local name space. This record may be manually queried as follows:

dns-sd -Q "_kerberos.donk.local" txt

Replace "donk" with the bonjour name of a Leopard machine on your local network (can test on yourself if needed).

The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.

xxd -r -c 256

<paste in the hex string, press return>

The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD

==Harnessing Authentication==
The notion of using a unique hash as the sever name portion of the principal name is a new idea, so we cannot rely on standard Kerberos libraries to be able to construct the correct principal name based on the LKDC's realm name. Accordingly, the authentication process is brokered for supported service clients, in order to perform the LKDC realm name discovery and then construct a kerberos principal name that is correct for the remote LKDC. Once the correct service principal name is obtained, it is handed off to Kerberos and works normally.

The client-side authentication broker (for supported services!) is called NetAuthAgent, and you'll see it get fired up whenever you use vnc, afp, cifs. Think of this as a session manager, of sorts.

Most of the advertisement, discovery, and management functions involving the LKDC are provided by a private framework called KerberosHelper, and a Kerberos framework plugin called LKDCLocate.

==Using KerberosHelper==
Some of the basic methods provided by KerberosHelper might be exercised as follows (big ups to landonf)!

krb.c contains the following:
<pre>#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdlib.h>

extern int LKDCGetLocalRealm(char **realm);
extern int LKDCDiscoverRealm(const char *host, char **realm);

// XXX arg1 - 1 seems to trigger the dump to syslog.
extern int LKDCDumpStatus(int32_t arg1);

void find_realm (const char *host) {
char *realm;
char *kdc;
uint32_t arg3;

/* Find the realm */
if (LKDCDiscoverRealm(host, &realm) == 0) {
printf("Disovered Realm (%s): %s\n", host, realm);
}

free(realm);
}

int main(int argc, char *argv[]) {
char *local_realm;

if (LKDCGetLocalRealm(&local_realm) == 0) {
printf("Local Realm: %s\n", local_realm);
free(local_realm);
}

/* Dump to syslog. XXX argument '1' is a guess */
LKDCDumpStatus(1);

if (argc < 2) {
printf("Usage: %s <hostname>\n", argv[0]);
return 1;
}

find_realm(argv[1]);

return 0;
}</pre>

Compile with:

gcc krb.c -o krb -F/System/Library/PrivateFrameworks -framework KerberosHelper

Run it with one argument: a bonjour name of a leopard machine on your network. e.g.
<pre>{33} andre@donk [work/krb] % ./krb dude.local
Local Realm: LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Disovered Realm (dude.local): LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B</pre>

Also, check your system.log. LKDCDumpStatus produces something like:
<pre>May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: Cache root node = 0x1034f0
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x1034f0 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x1059d0) LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x104d50) donk.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: node = 0x106030 {
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: realmName = (0x106460) LKDC:SHA1.C81B8D1A890D4D4DD079059A54594AA53B9A1A2B
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: serviceHost = (0x105fd0) dude.local
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: servicePort = 88
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: TTL = 7200
May 13 02:38:56 donk LKDCHelper[30484]: LKDCDumpCacheStatus: }</pre>

==Interesting Files==
===NetAuthAgent===
This appears to be a service client helper that manages the authentication process at a high level on behalf of various clients included with Mac OS X. A string dump reveals the following chunk of kerberos service names:
<pre>vncserver
webdaveserver
ftpsserver
ftpserver
cifs
afpserver</pre>
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket</pre>

<pre>{14} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent:
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation</pre>

NetAuthAgent.app also includes NetAuthSysAgent, which appears to be a variant of NetAuthAgent for handling system-level operations that do not require user interface. It contains lots of filesystem semantics, and also appears to deal with certificates.

<pre>{108} andre@donk [~] % otool -L /System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent | cut -d ' ' -f1
/System/Library/CoreServices/NetAuthAgent.app/Contents/Resources/NetAuthSysAgent:
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/PrivateFrameworks/URLMount.framework/Versions/A/URLMount
/System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
/System/Library/Frameworks/SecurityInterface.framework/Versions/A/SecurityInterface
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/usr/lib/libobjc.A.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation</pre>

===LKDCLocate===
This (non-private?) Kerberos framework plugin looks like it's able to perform DNS queries to retrieve LKDC info. It also seems to interact with a mach service created by LKDCHelper called com.apple.KerberosHelper.LKDCHelper.
<pre>{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
%s:
LKDCLookup
Declined to handle address family %d
svc = %d, realm = %s, family= %d, socktype = %d
KDC|MasterKDC
LKDC:
getaddrinfo () == %d
0x%08p: family = %d, socktype = %d, protocol = %d
Running callback 0x%08p
Unexpected address family %d
Callback done 0x%08p, err=%d
inet_ntop failed: %s
addr = %s, port = %d
failed %d
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
[...]</pre>

<pre>{112} andre@donk [~] % otool -L /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate
/System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate:
/usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0)</pre>

===KerberosHelper===
This private framework appears to provide API that can be used on behalf of service clients (or their agents) to discover the LKDC information of a remote realm.
<pre>{6} root@donk [~] # strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/KerberosHelper
LKDCGetHelperPort
com.apple.KerberosHelper.LKDCHelper
%s: cannot contact helper
LKDCHelperExit
Mach communication failed: %s
LKDCDumpStatus
LKDCSetLogLevel
LKDCGetLocalRealm
[[[ %s
Local realm = %s
]]] %s = %d (%s)
LKDCDiscoverRealm
No place to store discovered realm.
realm = %s
LKDCFindKDCForRealm
No place to store discovered KDC hostname.
KDC Hostname = %s:%u
LKDC:
%s: krb5 call got %d (%s) on %s:%d
realm_for_host
(null)
[[[ %s: hostname=%s hintrealm=%s
/SourceCache/KerberosHelper/KerberosHelper-31/Source/KerberosHelper.c
%s: krb5_get_host_realm success
%s: krb5_get_host_realm returned unusable realm!
%s: LKDCDiscoverRealm success
]]] %s: returning realm=%s
]]] %s: failed to determine realm
[[[ KRBCopyRealm () - required parameters okay
]]] KRBCopyRealm () = %d
[[[ KRBCopyKeychainLookupInfo () - required parameters okay
Username
KeychainAccountName
DisableSaveToKeychain
edu.mit.Kerberos.KerberosAgent
SavePasswordDisabled
KRBCopyKeychainLookupInfo: DisableSaveToKeychainKey = TRUE
KRBCopyKeychainLookupInfo: CFPreferencesCopyAppValue == NULL
]]] KRBCopyKeychainLookupInfo () = %d
[[[ KRBCopyServicePrincipal () - required parameters okay
KRBCopyServicePrincipal: svcName mismatch inService = "%s", svcName = "%s"
KRBCopyServicePrincipal: useName = "%s"
LKDC:
KRBCopyServicePrincipal: realm is Local KDC.
KRBCopyServicePrincipal: Bad inHostName, using svcInstance = "%s"
KRBCopyServicePrincipal: useInstance = "%s"
KRBCopyServicePrincipal: Fatal - Bad inHostName & no inAdvertisedPrincipal
%s/%s@%s
KRBCopyServicePrincipal: principal = "%s/%s@%s"
]]] KRBCopyServicePrincipal () = %d
KRBCopyClientPrincipalInfo
[[[ KRBCopyClientPrincipalInfo () - required parameters okay
Certificate
KRBCopyClientPrincipalInfo: Certificate information in dictionary
KRBCopyClientPrincipalInfo: Certificate not present in dictionary
.Mac Sharing Certificate
%@@%@
KRBCopyClientPrincipalInfo: Using login name = "%s"
KRBCopyClientPrincipalInfo: principal guess = "%s"
KRBCopyClientPrincipalInfo: ccache principal match = "%s"
KRBCopyClientPrincipalInfo: found a single ticket for realm, replacing principal & username
KRBCopyClientPrincipalInfo: Setting found Username to = "%s"
KRBCopyClientPrincipalInfo: using principal = "%s"
ClientPrincipal
KRBCopyClientPrincipalInfo: usingCertificate == %d
UsingCertificate
CetificateHash
CertificateInferredLabel
KRBCopyClientPrincipalInfo: InferredLabel = "%s"
]]] KRBCopyClientPrincipalInfo () = %d
%@@%s
[[[ KRBTestForExistingTicket () - required parameters okay
KRBTestForExistingTicket: principal = "%s"
KRBTestForExistingTicket: Valid Ticket, ccacheName = "%s"
]]] KRBTestForExistingTicket () = %d
KRBAcquireTicket
[[[ KRBAcquireTicket () - required parameters okay
KRBAcquireTicket: Using a certificate
Password
]]] KRBAcquireTicket () = %d
[[[ KRBCloseSession () - required parameters okay
]]] KRBCloseSession () = %d
parse_principal_name
KRBCreateSession
[[[ %s () - required parameters okay
%s: LocalKDC realm lookup only
%s: __KRBCreateUTF8StringFromCFString failed
[[[ %s () decomposing %s
]]] %s () - %d
%s: processed host name = %s
%s.local
%s: last char of host name = 0x%02x
success
%s: getaddrinfo = %s (%d)
%s: canonical host name = %s
%s: secondary match = %s
%s: primary match = %s
%s: could not find a suitable host/realm mapping
%s: Using host name = %s, realm = %s
]]] %s () = %d
KerberosKDC
dsRecTypeStandard:Config
realname
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error></pre>

===LKDCHelper===
This executable is part of the KerberosHelper framework and is a launch agent that runs in the user's namespace. This appears to fire up a mach service called com.apple.KerberosHelper.LKDCHelper that is used for IPC with other interested parties (see: elsewhere on this page).
<pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
</pre>

* /usr/libexec/configureLocalKDC - this is a perl script that creates the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.

==Resources==
* http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.

* http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.

* http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.

* http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby

* http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.

* http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using dns.

* http://www.dns-sd.org/ServiceTypes.html multicast DNS service types

* http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general

* http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.