beautypg.com

Enabling kerberos authentication for ftp, Enabling kerberos authentication for login window, Solving problems with kerberos – Apple Mac OS X Server (version 10.2.3 or later) User Manual

Page 208: Using ldap bind authentication, Using ldap bind authentication 208

background image

208

Chapter 3

Enabling Kerberos Authentication for FTP

Use Server Settings to enable FTP server support for Kerberos. See Chapter 5, “File Services,”
for details.

Enabling Kerberos Authentication for Login Window

Use this procedure on each Mac OS X client computer you want to use Kerberos at login:

To set up Kerberos login authentication:

1

Place the edu.mit.Kerberos configuration file in /Library/Preferences/. This file is not
sensitive, so it can be placed on a guest-accessible volume.

2

Change the /etc/authorization file so that the value of the eval key of the system.login.done
parameter looks like this:

switch_to_user,krb5auth:login

3

If you want to make Kerberos authentication a requirement for login, create a host principal
on the KDC, and copy a keytab file from the KDC to /etc/krb5.keytab on the client computer.
(The string “host/mymachine.example.com” is an example of a host principal.)

Also, change the client’s /etc/authorization file so that the value of the eval key of the
system.login.console parameter looks like this:

loginwindow_builtin:login,krb5auth:authenticate,loginwindow_builtin:success

If you skip this step, login window first authenticates by using the Open Directory password
and acquires a ticket-granting ticket as a side effect of logging in.

4

Make sure that the user has an Open Directory account with a short name that matches the
Kerberos principal name. The account should be in the search path of the client computer.

If you skip step 3 or if you want to use AFP home directories, make sure the Open Directory
password matches the Kerberos password.

Solving Problems With Kerberos

See “Kerberos Users Can’t Authenticate” on page 212 for troubleshooting tips.

Using LDAP Bind Authentication

When you use this password validation technique, you rely on an LDAPv2 or LDAPv3 server
to authenticate a user’s password. Because it supports the Secure Socket Layer (SSL)
protocol, LDAPv3 is preferred.

You can use Workgroup Manager to enable the use of LDAP bind authentication for user
accounts stored in a NetInfo or LDAPv3 directory domain.

LL0395.Book Page 208 Wednesday, November 20, 2002 11:44 AM

See also other documents in the category Apple Software: