I recently had to set up a new Mac Pro running OS X Leopard (10.5) to run on our network. All of our other Macs are currently running Tiger (10.4), but this new quad-core machine can not. Upon trying to get Kerberos authentication (GSSAPI), I ran into a little bit of a snag that took me a little while to figure out.
On Tiger, the minimal Kerberos configuration file (/Library/Preferences/edu.mit.Kerberos) needed to look like this:
default_realm = EXAMPLE.COM
This setup assumes that the Kerberos realm matches the DNS domain name of the machine, and also depends on the proper DNS SRV records being set up. However, when I copied this file to the Leopard machine, it didn’t seem to work properly. After a little troubleshooting, I found that I needed to add the following section the the configuration file:
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
This section maps the DNS domain name to the Kerberos realm. For whatever reason, this used to happen automatically, but now it needs to be stated explicitly. Go figure…
Hopefully this saves someone else out there some time!