Changing KMS to use Kerberos

On Tiger

1. Edit the /usr/local/kerio/mailserver/ldapmap/apple.map file. Change the Auth_Type from 4 to 3.
2. Restart KMS. If it works now, you are done. Beware, if they are not on 6.1.1 patch 1 or later, they might crash with bug 9245.
3. If it still does not work, they probably have the kerberos realm name wrong. Look in the /Library/Preferences/edu.mit.Kerberos file, and compare the default_realm parameter with the one in the Advanced tab in the domain settings for the domain.
4. If it still doesn't work, and you see the following in the logs:

   [27/Oct/2005 17:19:15][35813376] {auth} Krb5: entering auth (user:
   agerson@MASTER.CGPS.ORG)
   [27/Oct/2005 17:19:15][35813376] {auth} Krb5: spoofed TGT? verify_init_creds() for krbtgt/MASTER.CGPS.ORG@MASTER.CGPS.ORG, host/agerson.cgps.org@MASTER.CGPS.ORG: Key table entry not found, error code 0x96c73ab5 (-1765328203)
   

   Then, check the /etc/openldap/ldap.conf file for the following:

    BASE         dc=MASTER, dc=DOMAIN, dc=ORG
    URI         ldap://MASTER.DOMAIN.ORG
   

   Tailor it to the correct kerberos realm name. (Note: we don't know why this works, but it often fixes the problem.)
5. Finally, if there are still errors such as the ones in the previous item, check out bug 9245 comments 8 and 10:
   
   https://bugzilla.kerio.com/show_bug.cgi?id=9245#c8
   https://bugzilla.kerio.com/show_bug.cgi?id=9245#c10

6. If KMS begins crashing whenever they log in, be sure they are on 6.1.1 patch 1. This is most likely bug 9170 (which is really Apple bug 4329349).

On Panther

There are some steps that must be taken to configure Kerberos on Panther before you begin. If you are lucky, OSX 10.3.9 might just work in step 2 above. Try it out and see.