Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
21222324252627282930
Chapter 1 Directory Services with Open Directory 29
The same user account that can be used for logging in from a Windows workstation
can also be used for logging in from a Mac OS X computer. Therefore, someone who
uses both platforms can have the same home folder, mail account, and print quotas
on both platforms. Users can change their passwords while logging in to the Windows
domain.
User accounts are stored in the server’s LDAP directory with group, computer, and
other information. The PDC has access to this directory information because you set up
the PDC on a server that is an Open Directory master, which hosts an LDAP directory.
Further, the PDC uses the Open Directory master’s Password Server to authenticate
users when they log in to the Windows domain. The Password Server can validate
passwords using NTLMv2, NTLMv1, LAN Manager, and other authentication methods.
The Open Directory master can also have a Kerberos Key Distribution Center (KDC).
The PDC doesn’t use Kerberos to authenticate users for Windows services, but mail and
other services can be congured to use Kerberos to authenticate Windows workstation
users who have accounts in the LDAP directory.
To have its password validated by the Open Directory Password Server and Kerberos,
a user account must have a password type of Open Directory. A user account with a
password type of crypt password can’t be used for Windows services because a crypt
password isn’t validated using the NTLMv2, NTLMv1, or LAN Manager authentication
methods.
The server can also have user accounts in its local directory domain. Every Mac OS X
Server computer has one. The PDC doesn’t use these accounts for Windows domain
login, but the PDC can use these accounts to authenticate users for Windows le
service and other services.
User accounts in the local directory domain that have a password type of shadow
password can be used for Windows services because a shadow password can be
validated using NTLMv2, NTLMv1, LAN Manager, and other authentication methods.
For compatibility, Mac OS X Server supports user accounts that were congured to use
the legacy Authentication Manager technology for password validation in Mac OS X
Server v10.0–10.2. After upgrading a server to Mac OS X Server v10.6, existing users can
continue to use their same passwords.
A user account uses Authentication Manager if the account is in a local directory
domain that Authentication Manager is enabled for, and if the account is set to use a
crypt password.
If you migrate a directory from NetInfo to LDAP, all user accounts that used
Authentication Manager for password validation are converted to have a password
type of Open Directory.