beautypg.com

Enabling kerberos authentication for mail, Enabling kerberos authentication for afp – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 207

background image

Users and Groups

207

2

Create user accounts for each of the same users in directory domains accessible from
Mac OS X computers on which Kerberized services will be used. Set the password type to
Basic, and specify passwords that will never be used to authenticate the users.

Kerberized services on Mac OS X computers retrieve user accounts by extracting the user
name part of the principal out of the KDC certificate, which is passed to directory services to
find the account.

3

Before enabling Kerberos for a specific Kerberized service, create one or more principals in
the KDC for it, save the shared secrets into a keytab file, and copy the keytab file from the
KDC to /etc/krb5.keytab on your Mac OS X Server.

Use the kadmin command-line tool to create principals and a keytab file, and use a file
sharing protocol to transfer the keytab file from the Kerberos server to Mac OS X Server. FTP
or SCP (secure copy over SSH) are most likely to be present on the KDC.

Keytab files are sensitive, because they contain information used to determine whether a
client or service is trustworthy.

4

On Mac OS X Server, place the edu.mit.Kerberos configuration file in /Library/Preferences.
This file is not sensitive, so it can be placed on a guest-accessible volume.

This file must also reside in /Library/Preferences in the home directory of users you want to
authenticate using Kerberos.

5

Enable individual services (mail, AFP, and FTP) and clients (login window, AFP client, mail
client) to support Kerberos authentication.

6

Make sure that users you want authenticated using Kerberos are in the search path of the
server hosting the Kerberized services.

Enabling Kerberos Authentication for Mail

Use Server Settings to enable mail server support for Kerberos. See “Requiring or Allowing
Kerberos Authentication” on page 403 for details.

To enable mail client support, set up Mac OS X Mail application account preferences to use
Kerberos V5 authentication. Also make sure that edu.mit.Kerberos resides in /Library/
Preferences on the user’s computer.

Enabling Kerberos Authentication for AFP

Use Server Settings to enable AFP server support for Kerberos. See Chapter 5, “File Services,”
for details.

AFP client has no special requirements beyond access to /Library/Preferences/
edu.mit.Kerberos.

Note that “afpserver” is the service name for AFP. For example:

Service principal: afpserver/[email protected]

LL0395.Book Page 207 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: