Cats and multi-headed dogs don’t play nicely together. What a surprise.

So I was cleaning out my OmniFocus today and I stumbled across this:

I had added that back when I upgraded to Leopard and turned on Active Directory authentication to be the default for my user. Now there is only one problem, my next action isn’t true anymore. In fact, I’ve disabled it completely.

Let’s start at the beginning. Three large jungle cats earlier (Tiger, Panther, Jaguar) Apple added the ability to integrate Mac OS X with Active Directory. To say that their track record has been spotty is a bit of an exercise in understatement.

Get it? Leopard? Spotty? I’m sorry, I really am.

The integration really revolves around the Kerberos authentication mechanism which to the security conscious is really the cat’s meow.

Ha! Cat’s meow. No, I’m sorry. I promise this time.

To explain all this I’ll try to sum up how Kerberos works as quickly as I can here. If you start feeling your eyeballs glaze over or a little bit of drool forming at the side of your mouth the punchline is Kerberos works because little gnomes in your computer work out deals with three headed dogs that allow everything to function properly. That being said here’s the explanation.

Start eye glazing drool inducing skippable section

A long time ago in a galaxy far far away a bunch of smart people decided that sending around usernames and passwords in cleartext on a network was a Bad Idea. Thus loads of schemes and plans and secret handshakes and backroom deals were invented to keep said Bad Idea from happening. One of those schemes worked liked this.

1. A user would enter in their username and password which through the magic of a one-way function turns into the user’s secret key. Nowadays you don’t even need a username and password, things like fingerprints or smartcards or staring funny at a retinal scanner will do. (You’ve got to remember all this stuff was invented back in the 80’s when life was simpler.)

2. The user’s computer would then send a plain text message to the main authentication server saying who it was and that it wanted a bologna sandwich or something.

3. The main authentication server happens to also have a copy of the user’s secret key so it creates a brand new session encryption key, encrypts it with the secret key and sends it back to the client.

4. The client then tries to decrypt the message to get the new session key using his copy of the secret key. If it decrypts successfully everyone yells Mazal Tov and the client stomps on a glass. Actually, that happens if someone has a Jewish wedding. If the decryption succeeds the computer just kind of sits there. If the decryption fails then the username and password must be wrong because the local secret key doesn’t work.

5. A bunch of other stuff happens when the user then requests a network service that doesn’t really apply to the story so we’ll skip it here.

6. A cool sounding name was needed for the protocol so they named it Kerberos, after the three headed hound from hell. Nice.

End eye glazing drool inducing skippable section

Now Apple has written the software for Mac OS X to act as the Kerberos client while Microsoft has written the software (Active Directory) to act as the Kerberos server. In Tiger I had configured everything to work together with one small exception, I still had the main login screen use local authentication. If I wanted to get authenticated to the Active Directory I had to open up Terminal and run the kinit command. Life was good.

Once I had upgraded to Leopard I figured it was time to join the 1980’s, err, 21st century and configure Kerberos to work with the main login screen. I did a couple clicks here, changed the permissions on a directory there and poof, there I was, trading tickets with the best of them.

That was until I took the computer home.

Once I got there and turned on the Airport, since I use the faster Ethernet at work, one of Kerberos’ heads went and ate its own tail. (This was definitely Not Good since the hellhound has a snake for a tail.) Instead of noticing that it wasn’t on the work network anymore it decided to sit and wait until the Active Directory it couldn’t find would answer its pleas for self identification. Or it would wait until a network timeout occured, whichever came first. Then, to make matters worse, once I got back to work it decided to flip the sullen, sulky bit so that if I tried to start the computer with the Airport left on from being at home it would slow everything down until it dropped the network completely. I was reduced to opening Stickies every time I worked at home with a note on the desktop that said, “Turn off the Airport you idiot” so that I wouldn’t have to double boot the next morning.

After doing this for a month I finally gave up and turned off AD integration completely. Now life is back to normal and local authentication works without a problem.

The moral of the story, I should have know that using a protocol named after a three headed dog with an OS named after a cat was a stupid idea.