What You ve Learned

What You've Learned

• Open Directory provides a way to read directory data from most types of network directories.

• Mac OS X Server comes with all the standard Kerberos tools to deal with sharing and reading Kerberos service keys.

• Kerberos prevents a replay attack by containing the IP address in the ticket and having a finite ticket lifetime.

• Keytabs can be combined using the ktutil command.

• kadmin.local is used to configure the KDC in Mac OS X Server to support cross-realm authentication with a KDC running on a third-party server.

• You can use Server Admin to add a Kerberos record on an Open Directory master server and configure the SMB service running on Mac OS X Server to use authentication provided by an Active Directory KDC.

References

Administration Guides

"Mac OS X Open Directory Administration": http://images.apple.com/server/pdfs/Open_Directory_v10.4.pdf

"Mac OS X Server Command-Line Administration": http://images.apple.com/server/pdfs/Command_Line_v10.4.pdf

Apple Knowledge Base Documents

The following Knowledge Base document (located at www.apple.com/support) provides further information about Kerberos and cross-realm authentication.

Document 107702, "Mac OS X Server 10.3 or later: Kerberos authentication may not work after changing to LDAP master or replica, or kerberizing a particular service"

Books

Garman, Jason. Kerberos: The Definitive Guide (O'Reilly, 2003).

URLs

Developer Connection article on Kerberos: http://developer.apple.com/darwin/projects/kerberos

Kerberos: The Network Authentication Protocol: http://web.mit.edu/kerberos/www

Kerberos FAQs: http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/faq-osx.html

Kerberos mailing lists: http://web.mit.edu/kerberos/www/mail-lists.html

NIDS and other security systems: www.honeypots.net