Specifications
Chapter 5 Setting Up Open Directory Services 97
When Open Directory is started for the rst time, Kerberos uses DNS to generate
conguration settings. If your DNS server is not available when Kerberos is initially
started, its congurations are invalid and it will not work properly.
After Kerberos is running and has generated its conguration le, it no longer
completely depends on DNS and changes to DNS will not aect Kerberos.
The individual services of Mac OS X Server do not require conguration for single
sign-on or Kerberos.
The following services are ready for single sign-on Kerberos authentication on every
server with Mac OS X Server v10.6 or later that has joined or is an Open Directory
master or replica:
Login window Â
Mail service Â
AFP Â
FTP Â
SMB (as a member of an Active Directory Kerberos realm) Â
iChat service Â
Print service Â
NFS Â
Xgrid service Â
VPN Â
Apache web service Â
LDAPv3 directory service (on an Open Directory master or replica). Â
Setting Up an Open Directory Kerberos Realm
You can provide single sign-on Kerberos authentication on your network by setting up
an Open Directory master.
You can set up an Open Directory master during initial conguration that follows
installation of Mac OS X Server, but if you set up Mac OS X Server to have a dierent
Open Directory role, you can change its role to that of Open Directory master by using
Server Admin.
For more information, see “Setting Up an Open Directory Master” on page 81 and
“Starting Kerberos After Setting Up an Open Directory Master” on page 98.
A server that is an Open Directory master requires no other conguration to support
single sign-on Kerberos authentication for Kerberized services that the server provides.