beautypg.com

Integrating mac os x with a kerberos server – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 206

background image

206

Chapter 3

The following illustration summarizes these activities. Note that the service and the client in
this picture may be the same entity (such as login window) or two different entities (such as
a mail client and the mail server).

1

The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with
realms to access authentication data. This is the only step in which passwords and associated
password policy information needs to be checked.

2

The KDC issues the client a ticket-granting ticket, the credential needed when the client
wants to use Kerberized services. The ticket-granting ticket is good for a configurable period
of time, but can be revoked before expiration. It is cached on the client until it expires.

3

The client contacts the KDC with the ticket-granting ticket when it wants to use a particular
Kerberized service.

4

The KDC issues a ticket for that service.

5

The client presents the ticket to the service.

6

The service verifies that the ticket is valid. If the ticket is valid, use of the service is granted to
the client if the client is authorized to use the service. (Kerberos only authenticates clients; it
does not authorize them to use services. An AFP server, for example, needs to consult a
user’s account in a directory domain to obtain the UID.) The service uses information in the
ticket if required to retrieve additional information about the user from a directory domain.

Note that the service does not need to know any password or password policy information.
Once a ticket-granting ticket has been obtained, no password information needs to be
provided.

For more information on Kerberos, go to the MIT Kerberos home page:

web.mit.edu/kerberos/www/index.html

Integrating Mac OS X With a Kerberos Server

To integrate Mac OS X with a Kerberos server:

1

Make sure that one or more realms supported by your Kerberos server contain information
for all the users to be validated using Kerberos and for all the Mac OS X Kerberized services
they will use. The Kerberos principal name must be the same as the short name in the user’s
directory domain account.

Key Distribution

Center (KDC)

Kerberized

service

1

2

3

4

5

6

Client

LL0395.Book Page 206 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: