Note: Some of the following information pertains to setting up a third-party product. Information about products not manufactured by Apple is provided for information purposes only, and does not constitute Apple's recommendation or endorsement. Please contact the vendor or developer for additional information. This document contains links for getting relevant software and information from the Massachusetts Institute of Technology (MIT).
Macintosh Manager 2.0 introduced the ability for Macintosh Manager clients to authenticate against servers supporting the v4 and v5 releases of the Kerberos protocol. This feature allows Macintosh Manager administrators to restrict client workstation access to only those users holding valid Kerberos passwords. With Kerberos enabled, Macintosh Manager client users will retain a ticket-granting-ticket upon successful login to use with other Kerberos-aware services.
System Requirements
Figure 1: The Global Security Tab
To enable Kerberos authentication on Macintosh Manager 2:
Note: The Macintosh Manager administration application may be run from any Mac OS 9 or Mac OS X client and will continue to use directory passwords.
Macintosh Manager 2.0.2 accepts only a directory password for administrators using this feature.
Client Set Up
Figure 2: Kerberos for Macintosh Realm Configuration Dialog
To prepare a client computer, you must set up the Kerberos for Macintosh realm list. To do this, create a Kerberos Preferences file in your Preferences folder containing a list of realms valid for your site. See the MIT Kerberos for Macintosh documentation for details: http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/preferences.html
After defining realms in the Kerberos Preferences file, add any desired realm(s) to the "Favorite Realms" column. Drag the realm containing the users for the client's Macintosh Manager server to the top of the Favorite Realms list, defining it as the default realm. Only the default realm can be used for login authentication with Macintosh Manager.
With Kerberos enabled, all Macintosh Manager client computers and users must have access to a Kerberos Preferences file in a location accessible to Kerberos for Macintosh. Since each user has a unique Preferences folder, drag the Kerberos Preferences file created above to the Application Support folder of each client computer's system folder, sharing the file across all user accounts.
Logging In
In order to be able to log in to a Macintosh Manager client set up to use Kerberos, each user's account must have a short name set in the Server Admin Users & Groups module that exactly matches his Kerberos name. For example, a user named "Ludovic Decker" with a Kerberos principal "luddeker@APPLE.COM" must have his short name set to "luddecker" in Server Admin. When logging in to the Macintosh Manager client, users may enter either their full name or short name. Kerberos tickets will still be obtained for the correct principal.
Since a user's Kerberos password does not necessarily match the user's directory password, Macintosh Manager may not be able to connect to a user's home directory automatically in the event of a password mismatch. Should this occur, the client will prompt for the user's directory password in an AppleShare connection dialog. A seamless login can be ensured by having users keep their Kerberos and directory passwords in sync, by specifying no home directories for users, or by using the All Other Users feature. User and home directory information can be stored in any source readable by Directory Services, including LDAP.
The All Other Users feature in Macintosh Manager 2 is a useful means of dealing with large Kerberos userbases. With All Other Users enabled, all Kerberos users need not be present in a Directory Services data source or imported into Macintosh Manager to be able to use Macintosh Manager clients. In list login view, users should select the All Other Users account. In "Users type their name" login mode, users should enter their Kerberos name. If users have been imported into Macintosh Manager or are present in a Directory Services data source, they will receive their account and home directory data. If the user is not present in any data source with All Other Users enabled, a local home directory will be created.
Macintosh Manager 2.0 introduced the ability for Macintosh Manager clients to authenticate against servers supporting the v4 and v5 releases of the Kerberos protocol. This feature allows Macintosh Manager administrators to restrict client workstation access to only those users holding valid Kerberos passwords. With Kerberos enabled, Macintosh Manager client users will retain a ticket-granting-ticket upon successful login to use with other Kerberos-aware services.
System Requirements
- Macintosh Manager 2.0.2 or later client and admin set is required for Kerberos authentication.
- Mac OS X Server 10.0 or later
- Clients computers must have MIT Kerberos for Macintosh 3.0 or later installed and set up. Kerberos for Macintosh 3.0 and later requires at least Mac OS 8.1 and a PowerPC-based Macintosh computer. Kerberos for Macintosh may be downloaded from MIT (http://web.mit.edu/macdev/www/kerberos.html).
Figure 1: The Global Security Tab
To enable Kerberos authentication on Macintosh Manager 2:
- 1. Open the Macintosh Manager application and connect to a Macintosh Management server.
2. Click the Global tab.
3. Click the "Clients must authenticate using Kerberos" checkbox. With this feature enabled, only clients with a valid Kerberos for Macintosh installation will be able to log in, and a valid Kerberos name and password will be required of users. Client workstations lacking a Kerberos for Macintosh installation will be unable to log in.
Note: The Macintosh Manager administration application may be run from any Mac OS 9 or Mac OS X client and will continue to use directory passwords.
Macintosh Manager 2.0.2 accepts only a directory password for administrators using this feature.
Client Set Up
Figure 2: Kerberos for Macintosh Realm Configuration Dialog
To prepare a client computer, you must set up the Kerberos for Macintosh realm list. To do this, create a Kerberos Preferences file in your Preferences folder containing a list of realms valid for your site. See the MIT Kerberos for Macintosh documentation for details: http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/preferences.html
After defining realms in the Kerberos Preferences file, add any desired realm(s) to the "Favorite Realms" column. Drag the realm containing the users for the client's Macintosh Manager server to the top of the Favorite Realms list, defining it as the default realm. Only the default realm can be used for login authentication with Macintosh Manager.
With Kerberos enabled, all Macintosh Manager client computers and users must have access to a Kerberos Preferences file in a location accessible to Kerberos for Macintosh. Since each user has a unique Preferences folder, drag the Kerberos Preferences file created above to the Application Support folder of each client computer's system folder, sharing the file across all user accounts.
Logging In
In order to be able to log in to a Macintosh Manager client set up to use Kerberos, each user's account must have a short name set in the Server Admin Users & Groups module that exactly matches his Kerberos name. For example, a user named "Ludovic Decker" with a Kerberos principal "luddeker@APPLE.COM" must have his short name set to "luddecker" in Server Admin. When logging in to the Macintosh Manager client, users may enter either their full name or short name. Kerberos tickets will still be obtained for the correct principal.
Since a user's Kerberos password does not necessarily match the user's directory password, Macintosh Manager may not be able to connect to a user's home directory automatically in the event of a password mismatch. Should this occur, the client will prompt for the user's directory password in an AppleShare connection dialog. A seamless login can be ensured by having users keep their Kerberos and directory passwords in sync, by specifying no home directories for users, or by using the All Other Users feature. User and home directory information can be stored in any source readable by Directory Services, including LDAP.
The All Other Users feature in Macintosh Manager 2 is a useful means of dealing with large Kerberos userbases. With All Other Users enabled, all Kerberos users need not be present in a Directory Services data source or imported into Macintosh Manager to be able to use Macintosh Manager clients. In list login view, users should select the All Other Users account. In "Users type their name" login mode, users should enter their Kerberos name. If users have been imported into Macintosh Manager or are present in a Directory Services data source, they will receive their account and home directory data. If the user is not present in any data source with All Other Users enabled, a local home directory will be created.