Specifications
To congure new and upgraded services to use Kerberos:
1 Open Server Admin and connect to the upgraded server.
2 Click the triangle at the left of the server.
The list of services appears.
3 From the expanded Servers list, select Open Directory.
4 Click Settings, then click General.
5 Click Kerberize Services, then enter the name and password of an LDAP directory
administrator account.
Services that were already congured to use Kerberos are not aected.
From the command line:
Kerberize a service from a terminal running on that host.
1 To create the service principal:
$ sudo kadmin -p admin_principal -q "addprinc -randkey service-principal"
2 Import the principal key into the keytab le:
$ sudo kadmin -p admin_principal -q "ktadd service-principal"
3 Congure the service to use the new principal:
This step is service-specic. For information about how to perform this step, see the
service documentation.
About Kerberos Principals and Realms
Kerberized services are congured to authenticate principals who are known to a
Kerberos realm. You can think of a realm as a Kerberos database or authentication
domain that contains validation data for users, services, and sometimes servers, which
are all known as principals.
For example, a realm contains principals’ secret keys, which are the result of a one-way
function applied to passwords.
Service principals are generally based on randomly generated secrets rather than
passwords.
Here are examples of realm and principal names. Realm names are capitalized by
convention to distinguish them from DNS domain names:
Realm: MYREALM.EXAMPLE.COM Â
User principal: jsanchez@MYREALM.EXAMPLE.COM Â
Service principal: afpserver/somehost.example.com@MYREALM.EXAMPLE.COM Â
48 Chapter 3 Open Directory Authentication