Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
61626364656667686970
Chapter 5 Setting Up Open Directory Services 61
Setting Up Single Signon and Kerberos
Setting up single signon and Kerberos authentication involves these tasks:
An administrator who has authority to manage directory domains sets up a server as
an Open Directory master, which hosts a Kerberos Key Distribution Center (KDC). See
“Setting Up an Open Directory Master for Single Signon and Kerberos on page 61.
The network administrator delegates to specific server administrators the authority
to join their servers to the Open Directory master server for single signon and
Kerberos authentication. (If you want to set up a server to join an Open Directory
master for single signon and Kerberos, you must delegate authority to yourself.) See
“Delegating Authority to Join an Open Directory Master for Single Signon and
Kerberos” on page 62.
Delegated administrators join their servers to the Open Directory master, which then
provides single signon and Kerberos authentication for services provided by the
servers that have joined. See “Joining a Server to an Open Directory Master for Single
Signon and Kerberos” on page 63.
All computers using single signon and Kerberos should be set to the correct date,
time, and time zone. They should all be configured to use the same network time
server. Kerberos depends on the clocks of all participating computers being in sync.
DNS must be available on the network.
The individual services of Mac OS X Server version 10.3 and later do not require any
configuration for single signon or Kerberos. The following services are ready for
Kerberos and single signon on every server with Mac OS X Server version 10.3 and later
that is an Open Directory master or has joined one:
Login window
Mail service
FTP
AFP service
SSH
These services are “Kerberized” whether they are running or not.
Setting Up an Open Directory Master for Single Signon and
Kerberos
You can provide single signon and Kerberos authentication on your network by setting
up an Open Directory master. You can set up an Open Directory master during the
initial configuration that follows installation of Mac OS X Server version 10.3 and later. If
you have set up Mac OS X Server to have a different Open Directory role, you can
change its role to that of Open Directory master by using Server Admin.
LL2352.Book Page 61 Friday, August 22, 2003 3:12 PM