Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
31323334353637383940
Chapter 3 User Authentication With Open Directory 39
Note that the service does not need to know any password or password policy
information. Once a ticket-granting ticket has been obtained, no password information
needs to be provided.
Time is very important with Kerberos. If the client and the KDC are out of sync by more
than a few minutes, the client will fail to achieve authentication with the KDC. The date,
time, and time zone information needs to be correct on the KDC server and clients, and
they all should use the same network time service to keep their clocks in sync.
For more information on Kerberos, go to the MIT Kerberos website:
web.mit.edu/kerberos/www/index.html
Single Signon
Mac OS X Server uses Kerberos for single signon authentication, which relieves users
from entering a name and password separately for every Kerberized service. With single
signon, a user always enters a name and password in the login window. Thereafter, the
user does not have to enter a name and password for Apple file service, mail service, or
other services that use Kerberos authentication. To take advantage of the single signon
feature, users and services must be configured for Kerberos authentication and use the
same Kerberos Key Distribution Center (KDC) server.
User accounts that reside in an LDAP directory of Mac OS X Server version 10.3 and
have a password type of Open Directory use the servers built-in KDC. These user
accounts are automatically configured for Kerberos and single signon. This server’s
Kerberized services also use the servers built-in KDC and are automatically configured
for single signon. Other servers require some configuration to use the Mac OS X Server
KDC. Servers with Mac OS X Server version 10.3 require only minimal configuration to
use the built-in KDC of another server with Mac OS X Server version 10.3.
Shadow and Crypt Passwords
Shadow and crypt passwords do not depend on the Kerberos or Open Directory
Password Server infrastructure for password validation. Both transmit a scrambled form
of a users password, or hash, when sending the password over the network. Both also
store a scrambled form of the password, but they differ in where the password is
stored.
A crypt password is stored as a hash in the user account, making the password fairly
easy to capture from another computer on the network. This strategy, historically called
basic authentication, is most compatible with software that needs to access user
records directly. For example, Mac OS X version 10.1 and earlier expects to find a crypt
password stored in the user account.
LL2352.Book Page 39 Friday, August 22, 2003 3:12 PM