Filter
Top Products
56 Chapter 3
Setting Up Windows User Authentication
To authenticate Windows users using NetInfo so they can take advantage of the Windows
services on Mac OS X Server, ensure that all the shared domains in your hierarchy reside on
Mac OS X Servers.
Mac OS X Server has two ways to validate Windows users’ passwords:
m Encrypted password validation is preferred because it is the safest and because it is
the default technique supported by Windows computers on a local area network (LAN).
This technique transmits encrypted passwords between a Windows computer and
Mac OS X Server.
To use encrypted password validation, you enable Authentication Manager for all
domains in the hierarchy and define an encryption key for each domain. When
Authentication Manager is enabled, a tim_passwd property is stored in NetInfo user/
Manager records. It can be decrypted to get the cleartext password using the encryption
key, which is stored in a file on the server that is readable only by root.
m Cleartext password validation should be used only when encrypted transmission of
user authentication information is not important. Windows computers must be
configured individually to support cleartext password validation. See the Windows
documentation for information on how to set up cleartext password validation.
When you use cleartext password validation, passwords are not stored in a recoverable
format. The NetInfo password value, associated with the “passwd” property, is derived
using a one-way hash, which can’t be easily decoded. The one-way hash ensures that
each time it’s used for the same password, the same result occurs.
To set up encrypted password validation, enable Authentication Manager on every Mac OS X
computer that participates in the hierarchy. How you accomplish this depends on how many
shared domains are in your hierarchy:
m If a hierarchy has only a root domain that is not cloned, use the procedure in the next
section.
m Otherwise, use the procedure in “Other Hierarchies” on page 57.
For information about Windows services on Mac OS X Servers, refer to Mac OS X Server
Administrator’s Guide.
Simple Hierarchies With No Clones
Enable Authentication Manager on the root domain’s server:
1 Log in to the server as the root user.
2 Open NetInfo Domain Setup.
3 Click the lock icon. In the first authentication dialog, enter a server administrator name and
password. In the second dialog, enter the root user name and password.