I am the de facto mac sysadmin for a few mac labs on a campus that is primarily Windows, and we have the Macs configured to do single login via Kerberos and get their directory info via LDAP and NFS. This works fine for someone physically sitting at the machine, but I am running into a brick wall when it comes to sshing into these machines. ssh itself definitely works: I can ssh into the machine with a local user and password. And as I said, the kerberized login works fine from console. It's just getting the two to talk to each other.... Furthermore, there is a Linux box that we can successfully log into via kerberos, so it's unlikely to be anything on the client side.
Things I've tried:
- Editing /etc/authorization and changing "authinternal" under system.login.tty to "builtin:krb5authnoverify,privileged" (I think this used to work; the same change to system.login.console is definitely what makes the console logins work)
- Editing /etc/sshd_config and setting "GSSAPIAuthentication yes" (this makes it match the sshd_config on the linux box we can log in to)
- In the same file, turning on "KerberosAuthentication" and friends (just because it looked promising)
Any ideas?