Kerberos is network authentication protocol developed at MIT to provide secure authentication and communication over open networks. In addition to the standard authentication method, Mac OS X Server uses the Generic Security Services Application Programming Interface (GSSAPI) authentication protocol to implement Kerberos v.5.
For more information on Kerberos
For general information on Kerberos, see MIT's Kerberos Web site (
http://web.mit.edu/kerberos/www/).
For Macintosh specific information, see MIT's Kerberos for Macintosh Web site (
http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/index.html).
Setting up to use a Kerberos server
You must create and deploy an edu.mit.Kerberos configuration file. It needs to be located in the /Library/Preferences/ folder of every Mac OS X and Mac OS X Server computer that you want to authenticate via Kerberos. This file is not sensitive, so it can be placed on a guest-accessible volume.
For more information on the configuration file, see MIT's Kerberos for Macintosh web site (
http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/preferences-osx.html).
You may also consider installing the MIT Mac OS X 10.2 Kerberos Extras, as it will place an example edu.mit.Kerberos file in the /Library/Preferences/ folder.
If you are going to use a keytab file, create a host principal on the KDC and then copy a keytab file from the KDC to /etc/krb5.keytab on the client computer.
Enabling Kerberos Authentication for Login Window
For instructions on how to enable Kerberos Authentication for the Mac OS X 10.2 and Mac OS X Server 10.2 Login Window, see technical document 107154, "
Mac OS X 10.2: How to Enable Kerberos Authentication for Login Window".
Setting up Mac OS X Server 10.2 services for use with Kerberos
For instructions on how to configure Mac OS X Server 10.2 services for use with Kerberos, see technical document 107155, "
Mac OS X 10.2: How to Integrate Services With Kerberos".
When Kerberos Extras are required
If you plan on using Kerberized Carbon CFM applications, you need to install the MIT Mac OS X 10.2 Kerberos Extras.
For more information, see the MIT Mac OS X Kerberos Extras Web site (
http://web.mit.edu/macdev/Development/MITKerberos/Common/Documentation/osx-kerberos-extras.html).
Note: If you installed the MIT Kerberos Extras on existing Mac OS X 10.1 Kerberos clients and have now upgrading to Mac OS X 10.2, you will encounter some unexpected behavior with Kerberized Carbon CFM applications. For more information, see technical document 107156, "
Mac OS X: Issues With Kerberized Carbon CFM Applications After Upgrading to Mac OS X 10.2". Once you have updated to Mac OS X 10.2.1, you should install the MIT Mac OS X 10.2 Kerberos Extras.
Important: Information about products not manufactured by Apple is provided for information purposes only, and does not constitute Apple's recommendation or endorsement. Please contact the vendor for additional information.
Document 17159, "
Locating Vendor Information" can help you search for a particular vendor's address and phone number.
Related documents
25540: "
Mac OS X 10.2.1 or Later: Kerberos Password Does Not Unlock Screen Effects"