Specifications
Chapter 9 Maintaining Open Directory Services 207
Using kadmin to Kerberize a Service
You can use kadmin to Kerberize additional services, depending on your specic
conguration requirements. Although Mac OS X Server Kerberizes many services for
you, you can use Kerberos command-line tools to Kerberize additional services with
Open Directory Kerberos.
A Kerberized service must know its principal name. The service type for most services
is compiled into the binary.
Often the server administrator can assume that its server’s principal name is
serviceType/fqdn@REALM.
For example, the service principal for the AFP server on the host “server.example.com”
in the realm “EXAMPLE.COM” is afpserver/server.example.com@EXAMPLE. However, the
service type is service-specic and the primary place to get the information is from the
service documentation.
To Kerberize a service (from a terminal running on that host):
1 To create the service principal, use kadmin.
$ sudo kadmin -p admin_principal -q "addprinc -randkey service-principal"
2 Import the principal key into the keytab le.
$ sudo kadmin -p admin_principal -q "ktadd service-principal"
3 Congure the service to use the new principal.
This step is service-specic. For information about how to perform this step, see the
service documentation.
Kerberizing Services with an Active Directory Server
If your computer is connected to an Active Directory server, you can use the
dsconfigad command to Kerberize your services with the Active Directory Kerberos
realm. This is commonly used when conguring a magic triangle with an Active
Directory server and a Open Directory server.
To Kerberize services with an Active Directory server:
Enter the following command to Kerberize your services: m
$ sudo disconfigad -enablesso