Destroy Kerberos Ticket

Since we deployed Leopard to the computers labs at work, I’ve been running in to this annoying problem involving Kerberos. I hadn’t spent any time trying to figure out how to circumvent it until now because it really only affects administrators. We can deal with our own problems right?

When a user logs in, they authenticate to our server using their account username (use Alice for this example). At this point they are given a Kerberos ticket. From then on, in Leopard, whenever the user attempts to connect to an AFP share on the server, Leopard assumes that they are connecting as the same user, Alice. Because the Kerberos ticket is still valid, the user is automatically authenticated as Alice. Of course, this makes perfect sense. That’s the whole point of Kerberos: single sign-on.

The problem resides in the assumption that the user wants to connect as the same user every time. What if Alice is actually an admin who needs to log on to a share using different credentials? Here’s an example: I’m testing a student account, with normal student privileges. During the course of my testing, I need to access a document from our administrative share point. Now, obviously the student account does not have access to the administrative share point. I would need to log in to the share using a user with permissions to access the administrative share point.

Unfortunately, Leopard will not even ask me what user account I want to use because I already have a valid Kerberos ticket for the student account. Fortunately, after finally getting fed up with this problem, a quick bit of googling solved it.

All that needs to be done is to destroy the Kerberos ticket. Simply open Keychain Access and select Kerberos Ticket Viewer from the Keychain Access menu. Select your Kerberos ticket from the window and click the destroy button. This doesn’t actually harm anything, it simply makes your Kerberos ticket expire. The next time you try and connect to the server, you will be asked to authenticate again; at which point you can authenticate as a different user.

Alternately, you could also create a new Kerberos ticket using a separate username to the same server. The before authenticating to a share, you would simply change the active user. Unfortunately it seems as though you can only access one at a time. For example, I could not mount two different user’s home directories at the same time. I would have to activate a user, mount their home directory, eject it, activate the second user, and then mount their home directory. Hmm, as you can probably see, there doesn’t really seem to be a reason why this would be useful. Probably simply destroying the ticket is the best bet.

For more information on this, check out the Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients knowledge base article from Apple.

Let Me Google That For You

If you work in IT Support, or even just have a reputation for being pretty good with computers, I can imagine that a lot of lazy people ask you dumb questions about computers. For me, one of the most frustrating aspects of working in IT Support is constantly being asked to help people that won’t help themselves. The initiative to actually look for answers to common problems oftentimes seems to be completely missing

Finally, Dave Child of Added Bytes has developed the solution: Let Me Google That For You Bookmarklet. Simply brilliant.

Apple Mail Error 471

A couple of weeks ago I finally got around to actually upgrading to Leopard on my laptop. One of the things I was interested in trying out once I got upgraded was Apple Mail’s new Note feature.

I fired up Mail and clicked on the note icon and…nothing happened. Hmmm, check the Menu bar. Go to File → New Note…nothing again. Well okay, I thought to myself, somethings wrong here. Maybe I should do a Google search. Hmmm, what to search. Mail Notes Error. Umm, okay too generic, I’ll try being more specific. Apple Mail error opening new note. Grrr. Try several other search strings. #@$%*! 1

Okay, so it’s become clear to me at this point that Googling the problem is just not going to work. I decide to fire up Console to see if there are any enlightening error codes. Console does at least offer me something, in the form of “Mail[471] font-family cannot be nil”.

Mail Error-font-family cannot be nil

Hmm, that looks like gibberish to me. I do some more unsuccessful Google searches. Finally, I decide to attempt to decode that error again. That error means that somewhere a font family is not selected or unavailable. We know it’s happening when a new note is being created. I opened up Mail again and started pursuing the preferences. Low and behold, under the tab for Fonts & Colors, I found this:

Mail Preference Pane for Fonts and Colors

The field for the Note font is completely blank. I selected a font and attempted to open a new note. Success!

As it turned out, this happened to be a very simple solution for a very silly problem. That solution took me over an hour to figure out. Unfortunately, I’ve never been able to figure out why that field was blank in the first place. I wonder how many other people have had this exact same problem and just given up on trying to figure it out.

  1. Side Rant: What exactly was Apple thinking when they named their email client “Mail.” Could they have thought of a worse name? It is impossible to search for information about a problem with the program because “mail” could refer to so many things. It’s kind of like buying a computer, that has the model name of “computer.” Then say said computer one day won’t start up. You find another computer and start doing a search for the problem. Your query string is going to look something like this: [brand name] computer won’t start. Completely useless.

Do Not Reply (.com)

You know all of those emails that you get from companies that say “DO NOT REPLY”? As it turns out, some genius programmers really like to go the extra mile to make sure that their users do not reply…to them. These geniuses program the emails they send to have a reply-to address in the form of something@donotreply.com. You know, so they don’t get the replies (or bounce-backs).

Trouble is, donotreply.com is actually a real domain. And, any email sent to that domain, will be received by someone. In fact, Chet Faliszek will probably get the email, because he owns the domain donotreply.com. He also likes to post the best of the embarrassing mistakes.

Via Coding Horror.

Mac OS X Security

Preface and Disclaimer

This paper presents an overview of the security situation of Mac OS X. The purpose of this paper is to present security in a very easy-to-understand fashion. I firmly believe that there is an absurd amount of FUD about computer security in general, mostly propagated by vendors of antivirus software and their partners. In the case of Mac OS X in specific, it is very difficult to get accurate, non-sensational information about what the real security threats are. This paper began as a genuine effort to figure out, and then convey, what the real status of Mac OS X security is.

Please be aware that I am no security expert (nor am I a hacker), but simply a normal computer nerd with a passion for most things relating to computers and design. I have made every effort to consult the writings of security experts and convey accurate information. If any security ninjas out there find any inaccuracies, please let me know.

With the exception of the section “Out Of The Box Security and Additional Hardening Measures”, the entire report refers to Mac OS X 10.4 and prior versions. Where possible, I state specific versions of the operating system that I am referring to.

I’ve broken up this report into several pages because it is quite long. You can also download the report in its entirety in PDF format.

(more…)



appointive
appointive
appointive
appointive