Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
919293949596979899100
Delegating Authority to Join an Open Directory Kerberos Realm
Using Server Admin, you can delegate the authority to join a server to an Open
Directory master server for single sign-on Kerberos authentication.
You can delegate authority to user accounts. The accounts you delegate authority to
must have a password type of Open Directory and must reside in the LDAP directory
of the Open Directory master server. The dependent server you are delegating
authority for must use Mac OS X Server v10.3 or later.
Note: If an account with delegated Kerberos authority is deleted and recreated on
the Open Directory master server, the new account will not have authority to join
the dependent server to the Open Directory master’s Kerberos realm. If you want the
recreated account to have delegated Kerberos authority, you must add a new Kerberos
record for the recreated account.
A Kerberos administrator (that is, an Open Directory LDAP administrator) doesn’t need
delegated authority to join dependent servers to the Open Directory Kerberos realm. A
Kerberos administrator has implicit authority to join any server to the Kerberos realm.
To delegate authority to join an Open Directory Kerberos realm:
1 In Workgroup Manager, create a computer group in the LDAP directory domain of the
Open Directory master server, or select an existing computer group in this directory:
To select an existing computer group, click Accounts or choose View > Accounts, Â
click the Computer Group button (above the accounts list), and select the computer
group you want to use.
If the LDAP server doesn’t have a computer group that you want to add the Â
dependent server to, you can create one:
Click Accounts, then click the Computers button (above the accounts list).
Click the small globe icon above the list of accounts and use the pop-up menu to
open the Open Directory masters LDAP directory.
Click the lock and authenticate as an administrator of the LDAP directory.
Click Computers Group button (above the accounts list), then click New Computer
Group or choose Server > New Computer Group.
Enter a list name (for example, Kerberized Servers).
2 Click Members, then click the Add (+) button to open the computer drawer.
3 Drag computers and computer groups from the drawer to the members list.
4 Click Save to save your changes to the computer group.
5 Click Preferences and make sure the computer group has no managed
preference settings.
100 Chapter 5 Setting Up Open Directory Services