Specifications
Mac OS X Server must belong to the same Kerberos realm as its client users. The
realm has only one authoritative Kerberos server, which is responsible for all Kerberos
authentication in the realm. The Kerberos server can only authenticate clients and
servers in its realm. The Kerberos server can’t authenticate clients or services that are
part of a dierent realm.
Only user accounts in the chosen Kerberos realm will have single sign-on abilities. User
accounts in the other realm can still authenticate, but they won’t have single sign-on.
If you’re conguring a server to access multiple directory systems and each have a
Kerberos realm, plan carefully for the user accounts that will use Kerberized services.
You must know the intent of having access to two directory services. You must join the
server to the realm whose companion directory domain contains the user accounts
that must use Kerberos and single sign-on.
For example, you might want to congure access to an Active Directory realm for its
user records and an Open Directory LDAP directory for the Mac OS X records and
attributes that aren’t in Active Directory, such as group and computer records.
Other servers could join the Active Directory Kerberos realm or the Open Directory
Kerberos realm. In this case, the other servers should join the Active Directory Kerberos
realm so Active Directory user accounts have single sign-on.
If you also have user accounts in the Open Directory server’s LDAP directory, users can
still authenticate to them, but the Open Directory user accounts won’t use Kerberos
or have single sign-on. They’ll use Open Directory Password Server authentication
methods.
You could put all Mac users in the Open Directory domain and all Windows users
in the Active Directory domain, and they could all authenticate, but only one of the
populations could use Kerberos.
Do not congure an Open Directory master or replica to also access an Active Directory
domain (or any other directory domain with a Kerberos realm). If you do, the Open
Directory Kerberos realm and the Active Directory Kerberos realm will try to use
the same conguration les on the Open Directory server, which will disrupt Open
Directory Kerberos authentication.
To avoid a Kerberos conguration le conict, don’t use an Open Directory server as
a workstation for managing users in another Kerberos server’s directory domain, such
as an Active Directory domain. Instead, use an administrator computer (a Mac OS X
computer with server administration tools installed) that’s congured to access the
related directory domains.
70 Chapter 4 Open Directory Planning and Management Tools