Specifications

ManualsBrandsApple ManualsComputer equipmentXserve Up Mac OS X Server

261

262

263

264

265

266

267

268

269

270

262 Chapter 15 Configuring and Managing Open Directory

The following tools are available for setting up your Kerberos and Apple single sign-on

environment. For more information about a tool, see the related man page.

Backing Up the Kerberos Database

kdb5_util is a tool for maintaining the Kerberos database. The kdb5_util tool is useful

for dumping the principal database to text to get a reliable backup.

The data is extremely sensitive. By definition, creating a copy of it decreases your

overall security. These backups should be subject to the same security precautions as

other KDC files.

Note: Do not back up the KDC while the

krb5kdc process is running.

To dump the KDC’s database:

$ sudo kdb5_util dump >

/path/to/secure/backup

Replace

/path/to/secure/backup

with the path to the location you are backing up the

database to.

To load KDC data from a dumped file:

$ sudo kdb5_util load

/path/to/secure/backup

Replace

/path/to/secure/backup

with the path to the location of your backup

database.

You can also use kdb5_util to create and delete Kerberos databases and to manage

the location of the stash file used to encrypt the database.

Principal Management

Mac OS X Server uses MIT’s Kerberos administration architecture for principal

management. The Kerberos kadmind administration daemon is responsible for making

changes to the Kerberos database. Aside from Open Directory, kadmind is largely

manipulated by kadmin and kadmin.local.

Generally in Mac OS X, Apple applications are responsible for telling kadmin what to do,

so manual modifications are rarely needed.

The configuration files for

kadmin and krb5kdc are in /var/db/krb5kdc/. The kadm5.acl

file is a list of Kerberos principals that have various administrative privileges.

Tool (in usr/sbin/) Description

kdcsetup Creates necessary setup files and adds krb5kdc and kadmind

servers for the Apple Open Directory KDC.

sso_util Sets up, interrogates, and tears down the Kerberos configuration in

the Apple single sign-on environment.

kerberosautoconfig Creates the edu.mit.Kerberos file based on the Open Directory

KerberosClient record.