Accessing Kerberized Services with the Active Directory Computer Account

published 05 Nov 2013

Back in May I posted an article on how to access kerberized services with the AD computer account. If the blog statistics are to be believed it’s a fairly popular post too. Well, it turns out that I’d basically just missed -k when I read the man page for kinit. I also managed to expose the machine’s password in the process of doing so, making it even more embarrassing.

I updated the original article, but for reference here’s a proper script:

#!/bin/bash
#
# This script requires 10.7+ and root privileges.

# Get Kerberos ticket for the machine.
declare -r ADPLIST=$(echo "/Library/Preferences/OpenDirectory/Configurations/Active Directory"/*.plist)
declare -r ADCOMPACCT=$(/usr/libexec/PlistBuddy -c 'print :trustaccount' "$ADPLIST")
kinit -k "$ADCOMPACCT"

# Access services with Kerberos credentials.
mount_smbfs //sharedfiles.server.com/SharedFolder /tmp/sharedfolder
curl --negotiate -u : http://server.example.com/protectedresource

I’ll go stand in the corner now.