Specifications
Chapter 9 Maintaining Open Directory Services 205
Maintaining Kerberos
A robust authentication server that uses MIT’s Kerberos Key Distribution Center (KDC)
is built into Open Directory—providing strong authentication with support for secure
single sign-on. That means users authenticate once, with a single user name and
password pair, to access a broad range of Kerberized network services.
The following tools are available for setting up your Kerberos and Apple single sign-on
environment. For more information about a tool, see the related man page.
Tool (in usr/sbin/) Description
kdcsetup
Creates necessary setup les and adds krb5kdc
and
kadmind servers for the Apple Open
Directory KDC.
sso_util
Sets up, interrogates, and tears down the
Kerberos conguration in the Apple single sign-
on environment.
kerberosautoconfig
Creates the edu.mit.Kerberos le based
on the Open Directory
KerberosClient
record.
kerberosautoconfig also creates,
removes and updates /var/db/dslocal/nodes/
Default/cong/Kerberos:<REALM>.plist for Active
Directory as well as the Open Directory Kerberos
realms.
To back up the Kerberos database:
You can use the kdb5_util tool to maintain the Kerberos database. The kdb5_util
tool is useful for dumping the principal database to text to get a reliable backup.
The data is extremely sensitive. By denition, creating a copy of it decreases your
overall security. These backups should be subject to the same security precautions as
other KDC les.
Do not back up the KDC while the krb5kdc process is running.
To dump the KDC’s database: m
$ sudo kdb5_util dump > /path/to/secure/backup
Replace /path/to/secure/backup with the path to the location you are backing up
the database to.
To load KDC data from a dumped le: m
$ sudo kdb5_util load /path/to/secure/backup
Replace /path/to/secure/backup with the path to the location of your backup database.
You can also use kdb5_util to create and delete Kerberos databases and to manage
the location of the stash le used to encrypt the database.