Using kerberos, Understanding kerberos, Using kerberos 205 – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Users and Groups

205

Using Kerberos

If you already use Kerberos to authenticate users, you can use Kerberos to validate
passwords for the following services of Mac OS X Server version 10.2 and later:

m Login window

m Mail service

m FTP

m AFP server and client

These services have been “Kerberized.” Only services that have been Kerberized can use
Kerberos to validate a user.

Understanding Kerberos

Like the Password Server, a Kerberos server is dedicated to handling data needed for user
validation. Other user data is maintained on a separate server.

Kerberized services are configured to authenticate principals who are known to a particular
Kerberos realm. You can think of a “realm” as a particular Kerberos database or
authentication domain, which contains validation data for users, services, and sometimes
servers (known as “principals”). For example, a realm contains principals’ private keys, which
are the result of a one-way function applied to passwords. Service principals are generally
based on randomly generated secrets rather than passwords.

Here are examples of realm and principal names; note that realm names are capitalized by
convention to distinguish them from DNS domain names:

m Realm: MYREALM.EXAMPLE.COM

m User principal: [email protected]

m Service principal: afpserver/[email protected]

There are several phases to Kerberos authentication. In the first phase, the client obtains
credentials to be used to request access to Kerberized services. In the second phase, the
client requests authentication for a specific service. In the final phase, the client presents
those credentials to the service.

LL0395.Book Page 205 Wednesday, November 20, 2002 11:44 AM