Kerberos Support for WebDAV in the Finder

I'm going to go ahead and declare this undocumented. Apple's web site is useless and Google turns up questionable information. The closest thing I could find to an answer was this sentence from the "About Kerberos" help item on my local system.

Mac OS X applications that can use Kerberos include Safari, Secure Shell (SSH), Server Message Block (SMB), Mail, Telnet, Virtual Private Network (VPN) client, and the Apple Filing Protocol (AFP) client.

So does it work with WebDAV? Yes, but it took me a while to figure this out. With no documentation, it was down to trial and error, and that turned out to be confusing.

I set up a WebDAV share with mod_auth_kerb, but even though I had a ticket, it was prompting me for a username and password. mod_auth_kerb will prompt for credentials in the absence of a ticket, so I assumed this was what was happening. Yes, you could give it your username and password and get access, but that's not the magic you expect from Kerberos.

A few places suggested that the Finder only uses Kerberos for services advertised with Bonjour. If that sounds retarded, it's because it is. I should have known because I had already used Kerberos to access CIFS shares on the NetApps at work, but it was the only thing I hadn't tried, so I went with it. I spent a while trying to get Avahi on my server at home to advertise a remote WebDAV share. What would I have done if this worked? Set up Avahi on every network I might visit? Anyway, that got me nowhere. The Finder doesn't check for WebDAV services it seems.

I gave up and decided the Finder just didn't attempt Kerberos negotiation for WebDAV. Then I just happened to run klist after mounting my WebDAV share (which was still configured with mod_auth_kerb) and I noticed a service principal for HTTP. There's only one explanation for this, and that's that the Finder asked for that principal.

I deleted the username and password for this share from my Keychain and tried again. Like before, I was prompted for my username and password. I tried leaving the password blank. Success. I tried again, entering a random nonsense username. Success.

It's probably too late to say "long story short" at this point, but here's what you need to know: The Finder does support Kerberos for WebDAV (over HTTP or HTTPS), but it inexplicably prompts you for credentials even though it's already authenticated you. What I did was just enter "Kerberos" as the username with a blank password, then saved this to my Keychain. Having something in the Keychain will allow the Finder to automatically submit the [unnecessary] credentials without bothering you. You'll be able to just mount the filesystem from then on as long as you have a valid ticket.

Is this a bug, or am I missing something? I'm just happy to know that it's possible.

blog comments powered by Disqus