I thought I would post this, as we had a similar situation within our class with this issue. At times, when you try to start Kerberos in Mac OS X 10.5 Server, the domain gives you trouble. The first thing you should do is check the host name with changeip, and determine the issue with your DNS. Then, you can fix your Kerberos issues with the following steps as found here on Apple's documents page:
1. Fix Your DNS: This is necessary, otherwise steps below will not work.
2. Fix your /etc/hosts file: Best done in Terminal. Run sudo bash and authenticate to get to root, and then run vi /etc/hosts. Once in there, add your server's IP Address and fully qualified domain name, like this: 10.1.0.1 mainserver.pretendco.com
3. Set your Host Name: This can be done as root with the following command: scutil --set HostName mainserver.pretendco.com. Replace the Mainserver entry with your own domain name in this step, and all subsequent steps you see.
4. Initialize Kerberos: This requires three steps (and being logged in as root):
slapconfig -kerberize diradmin MAINSERVER.PRETENDCO.COM (diradmin would be the directory admin login name)
sso_util configure -r MAINSERVER.PRETENDCO.COM -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 all (replace diradmin and diradmin_password with your directory admin and password)
sso_util configure -r MAINSERVER.PRETENDCO.COM -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 ldap
Once you finish these steps, reboot the machine, and check your Server Admin utility. You should see that you have all your services running on your Open Directory Master.
Even with this trouble, Kerberos seems really simple to set up with a Mac server. I've never tried it on a Linux server, but from the expressions on some friend's faces when I suggest it, it doesn't seem to be very simple. I'm not sure how it's implemented in Active Directory either, though I do know it's just as frustrating when it doesn't work.
Showing posts with label kerberos. Show all posts
Showing posts with label kerberos. Show all posts
Monday, March 17, 2008
Friday, November 30, 2007
Leopard and the Secure NFS Share
One of the benefits of being an Apple Certified Trainer is that I get neat updates from the Apple training staff regarding all aspects of the OS. Today, I got an update from Apple on the UNIX compliant status of Leopard from their site here. While I knew that 64-bit processing was a big thing for Apple in general, and I knew that the new Terminal was a sweet deal, I didn't know they had made a change to NFS, namely to make it Kerberized.
For those of you not familiar with the NFS (Network File System), you may not know why the change to NFS is so important. Sure, single sign on is a great thing in principle, but what's the big deal, right? Well, let's take you through the world of NFS.
NFS is a UNIX native file sharing protocol used to quickly share files back and forth. What makes it so quick? There is no user name and password authentication. Authentication is done through the UNIX UID. This is great in a Directory-specified network where everyone has their own unique ID, but what if you are logging onto the file share from your locally authenticated machine? Chances are you are logging in from a UID assigned to your local machine that will be assigned to another user. Take this scenario:
Tech A creates his server, and shares his files with NFS. His first account he creates is the Administrator account, which was assigned the UID of 501 (standard Admin UID for Apple, by the way). He then creates various other accounts, starting at UID 1025 and going up.
Marketing Director A gets a new machine and creates their first account, which is again an Admin account for that machine and also assigned the UID of 501. They then connect to the file server Tech A created with their account. They don't have to worry about authentication, because NFS authenticates from the UID. In this case, the Marketing Director has Admin access to the file server. Problem? Yes, most definitely. Also considering that anyone that creates a local account on their machine, be they a director or lowly janitor.
Apple had seen this coming, and in Tiger Server made it possible to map all NFS connections to the nobody user, and make all access read only. That did some good, but still lacked the benefits and security of authentication.
Now enter Kerberos. Because of the Ticket system that it utilizes, and the fact that authentication is not necessary once the KDC has authenticated the user on the network, there is no speed reduction in authenticating through Kerberos for an NFS file share. It also adds just one more service that is Kerberized for a Mac OS X Server. I am hard-pressed to think of one service that is not Kerberized with the new Leopard install. This, and the fact that starting a Kerberos KDC is so easy to do with Mac OS X Server makes it a good choice with small to medium-sized businesses.
So, in the end, NFS has finally come full circle. Created initially as a method to quickly transfer files for server-level processing (i.e., imaging and thin-client use), it now has the ability of secure authentication though Kerberos. Of course, if you don't want to use Kerberos, you can still use AFP, SMB, or Kerberized FTP for your file sharing needs. ^_^
For those of you not familiar with the NFS (Network File System), you may not know why the change to NFS is so important. Sure, single sign on is a great thing in principle, but what's the big deal, right? Well, let's take you through the world of NFS.
NFS is a UNIX native file sharing protocol used to quickly share files back and forth. What makes it so quick? There is no user name and password authentication. Authentication is done through the UNIX UID. This is great in a Directory-specified network where everyone has their own unique ID, but what if you are logging onto the file share from your locally authenticated machine? Chances are you are logging in from a UID assigned to your local machine that will be assigned to another user. Take this scenario:
Tech A creates his server, and shares his files with NFS. His first account he creates is the Administrator account, which was assigned the UID of 501 (standard Admin UID for Apple, by the way). He then creates various other accounts, starting at UID 1025 and going up.
Marketing Director A gets a new machine and creates their first account, which is again an Admin account for that machine and also assigned the UID of 501. They then connect to the file server Tech A created with their account. They don't have to worry about authentication, because NFS authenticates from the UID. In this case, the Marketing Director has Admin access to the file server. Problem? Yes, most definitely. Also considering that anyone that creates a local account on their machine, be they a director or lowly janitor.
Apple had seen this coming, and in Tiger Server made it possible to map all NFS connections to the nobody user, and make all access read only. That did some good, but still lacked the benefits and security of authentication.
Now enter Kerberos. Because of the Ticket system that it utilizes, and the fact that authentication is not necessary once the KDC has authenticated the user on the network, there is no speed reduction in authenticating through Kerberos for an NFS file share. It also adds just one more service that is Kerberized for a Mac OS X Server. I am hard-pressed to think of one service that is not Kerberized with the new Leopard install. This, and the fact that starting a Kerberos KDC is so easy to do with Mac OS X Server makes it a good choice with small to medium-sized businesses.
So, in the end, NFS has finally come full circle. Created initially as a method to quickly transfer files for server-level processing (i.e., imaging and thin-client use), it now has the ability of secure authentication though Kerberos. Of course, if you don't want to use Kerberos, you can still use AFP, SMB, or Kerberized FTP for your file sharing needs. ^_^
Friday, April 06, 2007
Friday Round Up: Kerberos, Hydroponics
Because I haven't posted much of anything this week, I thought I would take today to round up all the topics I would have covered, had I posted them. ^_^ There has been a lot going on this week that I wanted to share, and so little time to post it.
Kerberos
I have to admit, I had never before really got Kerberos. I understand why someone would want a single sign on solution, and why it's necessary to have an authentication system that doesn't pass your password. But it never really made a lot of sense to me until I started working with the Mac OS X Server platform. Why then? Because OS X Server makes initializing Kerberos so relatively easy (more on that later) that utilizing it makes sense.
For those that are not familiar with Kerberos, it's an authentication method that allows for authentication through tickets, instead of username-password authentication packets. The tickets are encrypted, and are time-stamped to keep the integrity of the system.
Apparently, based on the entries I have seen in various forums, it's a beast to get running properly in any platform. But Mac OS X Server integrates it with the Open Directory Master, so as long as your DNS is working properly (and you have your server's DNS entry in your /etc/hosts file), you can have a relatively consistent Kerberos experience right out of the box. This is great for any small to medium-sized business that is looking for a single sign on solution for their server environment.
So, Kerberos is working.. Now what? What can you use it for? Well, Mac OS X Server has the following services that are kerberized (compatible with Kerberos):
Directory Services
Apple File Protocol (AFP)
Windows Services (SMB)
Virtual Private Networking (VPN)
Mail
File Transfer Protocol (FTP)
Xgrid
So, you can Kerberize your access to these features. Granted, not everyone in a mixed platform environment can utilize AFP, but most everyone can utilize Samba in one form or another, so you have your single sign on file server.
Then, you can utilize single sign on for Directory login, or network access. Because Apple's Open Directory is just LDAPv3 (OpenLDAP), directory services can be integrated into any platform. That means you can even integrate your Windows system into Open Directory for a Kerberized login.
VPN is defaulted to Layer 2 Transfer Protocol (L2TP), but if you need to, you can set it up for Point to Point Transfer Protocol (PPTP). As you can set up a Kerberized access for it anyway, both solutions can be very convenient.
Mail is the example used in the Server Essentials Kerberos video. It's easy to see why you would want a kerberized mail system set up for business email, and Mail is all set for Kerberos.
FTP didn't make that much sense to me, except for the simple text user ID and password that is used to transfer the files. As it uses your Directory account to control FTP access, it becomes your weakest link. That alone is the best reason to kerberize the service.
I don't have a lot to say about Xgrid, because I haven't ever used it and I don't have an environment that requires it. Needless to say, it looks cool, and anything that is kerberized can't be all bad. ^_^
There is a rumor that the Team server in OS X 10.5 will be kerberized, along with iChat server. If that's that case it will eliminate most of the weakest links in the services that are used within a business, making the solution that much more attractive to larger businesses.
I'm going to be playing with Kerberos and kerberized services within the next few weeks as I prepare for the Apple Certified Systems Administrator certification, so hopefully I will be able to shed more light on the service.
Hydroponics Update
I just wanted to post that my first experiment with hydroponics and starter plants seems to be working! My cucumbers just started to sprout, and I'm really excited! I figure that the pumpkins will be next, followed by the artichokes and perhaps the pansies. As soon as I get some greenery, I'll post a picture. ^_^
So, that has been my week so far. I'm working on a new server deployment for the classroom, and starting this next week I will be preparing myself for the Office 2007 offerings that we are starting this Summer. For those looking for Office 2007 training (and you will probably need it, as it's so different from previous versions), feel free to check out our offerings at http://continue.utah.edu/edtech!
Kerberos
I have to admit, I had never before really got Kerberos. I understand why someone would want a single sign on solution, and why it's necessary to have an authentication system that doesn't pass your password. But it never really made a lot of sense to me until I started working with the Mac OS X Server platform. Why then? Because OS X Server makes initializing Kerberos so relatively easy (more on that later) that utilizing it makes sense.
For those that are not familiar with Kerberos, it's an authentication method that allows for authentication through tickets, instead of username-password authentication packets. The tickets are encrypted, and are time-stamped to keep the integrity of the system.
Apparently, based on the entries I have seen in various forums, it's a beast to get running properly in any platform. But Mac OS X Server integrates it with the Open Directory Master, so as long as your DNS is working properly (and you have your server's DNS entry in your /etc/hosts file), you can have a relatively consistent Kerberos experience right out of the box. This is great for any small to medium-sized business that is looking for a single sign on solution for their server environment.
So, Kerberos is working.. Now what? What can you use it for? Well, Mac OS X Server has the following services that are kerberized (compatible with Kerberos):
Directory Services
Apple File Protocol (AFP)
Windows Services (SMB)
Virtual Private Networking (VPN)
File Transfer Protocol (FTP)
Xgrid
So, you can Kerberize your access to these features. Granted, not everyone in a mixed platform environment can utilize AFP, but most everyone can utilize Samba in one form or another, so you have your single sign on file server.
Then, you can utilize single sign on for Directory login, or network access. Because Apple's Open Directory is just LDAPv3 (OpenLDAP), directory services can be integrated into any platform. That means you can even integrate your Windows system into Open Directory for a Kerberized login.
VPN is defaulted to Layer 2 Transfer Protocol (L2TP), but if you need to, you can set it up for Point to Point Transfer Protocol (PPTP). As you can set up a Kerberized access for it anyway, both solutions can be very convenient.
Mail is the example used in the Server Essentials Kerberos video. It's easy to see why you would want a kerberized mail system set up for business email, and Mail is all set for Kerberos.
FTP didn't make that much sense to me, except for the simple text user ID and password that is used to transfer the files. As it uses your Directory account to control FTP access, it becomes your weakest link. That alone is the best reason to kerberize the service.
I don't have a lot to say about Xgrid, because I haven't ever used it and I don't have an environment that requires it. Needless to say, it looks cool, and anything that is kerberized can't be all bad. ^_^
There is a rumor that the Team server in OS X 10.5 will be kerberized, along with iChat server. If that's that case it will eliminate most of the weakest links in the services that are used within a business, making the solution that much more attractive to larger businesses.
I'm going to be playing with Kerberos and kerberized services within the next few weeks as I prepare for the Apple Certified Systems Administrator certification, so hopefully I will be able to shed more light on the service.
Hydroponics Update
I just wanted to post that my first experiment with hydroponics and starter plants seems to be working! My cucumbers just started to sprout, and I'm really excited! I figure that the pumpkins will be next, followed by the artichokes and perhaps the pansies. As soon as I get some greenery, I'll post a picture. ^_^
So, that has been my week so far. I'm working on a new server deployment for the classroom, and starting this next week I will be preparing myself for the Office 2007 offerings that we are starting this Summer. For those looking for Office 2007 training (and you will probably need it, as it's so different from previous versions), feel free to check out our offerings at http://continue.utah.edu/edtech!
Subscribe to:
Posts (Atom)