Integrating mac os x with a kerberos server – Apple Mac OS X Server (Administrator’s Guide) User Manual
Page 199
Users and Groups
199
3
The client contacts the KDC with the ticket-granting ticket when it wants to use a particular
Kerberized service.
4
The KDC issues a ticket for that service.
5
The client presents the ticket to the service.
6
The service verifies that the ticket is valid. If the ticket is valid, usage of the service is granted
to the client if the client is authorized to use the service. (Kerberos only authenticates clients;
it does not authorize them to use services. An AFP server, for example, needs to consult a
user’s account in a directory domain to obtain the UID.) The service uses information in the
ticket if required to retrieve additional information about the user from a directory domain.
Note that the service does not need to know any password or password policy information.
Once a ticket-granting ticket has been obtained, no password information needs to be
provided.
For more information on Kerberos, go to the MIT Kerberos home page:
web.mit.edu/kerberos/www/index.html
Integrating Mac OS X With a Kerberos Server
To integrate Mac OS X with a Kerberos server:
1
Make sure that one or more realms supported by your Kerberos server contain information
for all the users to be validated using Kerberos and for all the Mac OS X Kerberized services
they will use. The Kerberos principal name must be the same as the short name in the user’s
directory domain account.
2
Create user accounts for each of the same users in directory domains accessible from
Mac OS X computers on which Kerberized services will be used. Set the password type to
Basic, and specify passwords that will never be used to authenticate the users.
Kerberized services on Mac OS X computers retrieve user accounts by extracting the user
name part of the principal out of the KDC certificate, which is passed to directory services to
find the account.
3
Before enabling Kerberos for a specific Kerberized service, create one or more principals in
the KDC for it, save the shared secrets into a keytab file, and copy the keytab file from the
KDC to /etc/krb5.keytab on your Mac OS X Server.
Use the kadmin command-line tool to create principals and a keytab file, and use a file
sharing protocol to transfer the keytab file from the Kerberos server to Mac OS X Server. FTP
or SCP (secure copy over SSH) are most likely to be present on the KDC.
Keytab files are sensitive, because they contain information used to determine whether a
client or service is trustworthy.