Specifications
Time is very important with Kerberos. If the client and the KDC are out of sync by
more than a few minutes, the client fails to achieve authentication with the KDC. The
date, time, and time zone information must be correct on the KDC server and clients,
and the server and clients should all use the same network time service to keep their
clocks in sync.
For more information about Kerberos, go to the MIT Kerberos website at
web.mit.edu/kerberos/www/index.html.
About Open Directory Password Server and Shadow
Password Authentication Methods
For compatibility with various services, Mac OS X Server can use several authentication
methods to validate Open Directory passwords and shadow passwords.
For Open Directory passwords, Mac OS X Server uses the standard Simple
Authentication and Security Layer (SASL) mechanism to negotiate an authentication
method between a client and a service.
For shadow passwords, the use of SASL depends on the network protocol. The
following authentication methods are supported:
Method Network security Storage security Uses
APOP Encrypted, with clear
text fallback
Clear text POP mail service
CRAM-MD5 Encrypted, with clear
text fallback
Encrypted IMAP mail service, LDAP
service
DHX Encrypted Encrypted AFP le service,
Open Directory
administration
Digest-MD5 Encrypted Encrypted Login window, mail
service
MS-CHAPv2 Encrypted Encrypted VPN service
NTLMv1 and NTLMv2 Encrypted Encrypted SMB services
(Windows NT/98 or
later)
LAN Manager Encrypted Encrypted SMB services
(Windows 95)
WebDAV-Digest Encrypted Clear text WebDAV le service
(iDisk)
50 Chapter 3 Open Directory Authentication