Filter
Top Products
Chapter 15 Working with Open Directory 263
Using kadmin to kerberize a service
kadmin can be used to kerberize additional services, depending on your specific
configuration requirements. While Mac OS X Server kerberizes many services for you,
you can use Kerberos command-line tools to kerberize additional services with Open
Directory Kerberos.
A kerberized service needs to know its principal name. The service type for most
services is compiled into the binary. Often the server administrator can assume that its
server’s principal name is serviceType/fqdn@REALM. For example, the service principal
for the afp server on the host “server.example.com” in the realm “EXAMPLE.COM” is
afpserver/server.example.com@EXAMPLE. However, the service type is service-specific
and the primary place to get the info is from the service documentation.
To kerberize a service (from a terminal running on that host):
1 Use kadmin to create the service principal.
$ sudo kadmin -p admin_principal -q “addprinc -randkey service-principal”
2 Import the principal key into the keytab file.
$ sudo kadmin -p admin_principal -q “ktadd service-principal”
3 Configure the service to use the new principal. This step is service-specific. Make sure
to check the service documentation for how to perform this step.
Using Directory Service Tools
The following are miscellaneous directory service tools that you can use to configure
directory services and to troubleshoot any problems.
Operating on Directory Service Directory Domains
dscl is a general-purpose tool for operating on directory domains. Its commands allow
one to create, read, and manage directory data. If invoked without any commands,
dscl runs in an interactive mode, reading commands from standard input.
The following examples show some basic dscl tool uses:
To verify that you are able to access an LDAPv3 directory:
$ dscl localhost
> cd /LDAPv3/directory.example.com/Users
> ls
You should see a list of the server’s network user accounts
See the dscl man page for more information.