Hello:
I am having a devil of a time getting CAC authentication
working in our environment. We have 30 or so Macs running 10.4.5 that are bound
to Active Directory. Based on the instructions from Sean Geddis, I’ve
applied the “smartcardauthdiffs” patch to /etc/authorization, and
created the cacloginconfig.plist file containing the following:
<dict>
<key>fields</key>
<array>
<string>NT Principal Name</string>
</array>
<key>formatString</key>
<string>$1</string>
<key>dsAttributeString</key>
<string>dsAttrTypeNative:userPrincipalName</string>
</dict>
Upon inserting the CAC card the system will do one of two
things – either the login window will disappear four roughly a minute,
then return with a name and password prompt – or the GUI will exit out
entirely and dump into a Darwin text logon prompt. I have had the same thing
happen on multiple systems and two of those were fresh installs of 10.4.5.
I can get local accounts to work with our CAC cards, by
binding the Identity key hash the account using sc_auth. I just can’t
seem to get any AD based accounts to work. I can also use the same cards that
are failing on the Macs and log in normally on our CAC enabled PCs. We have those
set up to pass the “1111111111@mil” formatted PrincipalName to AD after
the pin is verified. These things make me pretty sure that I am just missing a
small detail in my setup, but as now I have no idea what that is.
Anyone that could point me in the right direction would be
greatly appreciated.
Thanks!
Lee Fairbanks