Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
41424344454647484950
Kerberos permits a client and a server to identify each other much more securely than
typical challenge-response password authentication methods. Kerberos also provides
a single sign-on environment where users authenticate only once a day, week, or other
period of time, thereby easing authentication frequency.
Mac OS X Server oers integrated Kerberos support that virtually anyone can deploy.
In fact, Kerberos deployment is so automatic that users and administrators may not
realize it’s deployed.
Mac OS X v10.3 and later use Kerberos when someone logs in using an account set
for Open Directory authentication. It is the default setting for user accounts in the
Mac OS X Server LDAP directory. Other services provided by the LDAP directory server,
such as AFP and mail service, also use Kerberos automatically.
If your network has other servers with Mac OS X Server v10.6, joining them to the
Kerberos server is easy, and most of their services use Kerberos automatically.
Alternatively, if your network has a Kerberos system such as Microsoft Active Directory,
you can set up your Mac OS X Server and Mac OS X computers to use it
for authentication.
Mac OS X Server and Mac OS X v10.3 or later support Kerberos v5. Mac OS X Server
and Mac OS X v10.6 do not support Kerberos v4.
Breaking the Barriers to Kerberos Deployment
Until recently Kerberos was a technology for universities and government sites. It
wasn’t more widely deployed because adoption barriers needed to be taken down.
Mac OS X and Mac OS X Server v10.3 or later eliminate the following historical barriers
to adoption of Kerberos:
An Administrator had to set up a Kerberos KDC. This was dicult to deploy and Â
administer.
There was no standard integration with a directory system. Kerberos only does Â
authentication. It doesn’t store user account data such as user ID (UID), home
folder location, or group membership. The administrator had to determine how to
integrate Kerberos with a directory system.
Servers had to be registered with the Kerberos KDC. This added an extra step to the Â
server setup process.
After setting up a Kerberos server, the administrator had to visit all client computers Â
and congure each one to use Kerberos. This was time consuming and required
editing conguration les and using command-line tools.
44 Chapter 3 Open Directory Authentication