Did ya’ know you can Kerberize it?
-
-
Kerberos Management with kadmin.local
Kerberos can be managed interactively using kadmin.loca or kadmin (which edits the default realm by default): sudo kadmin.local To see a list of principals: listprincs To remove principals: delprinc user@YOUR.KERBEROS.DOMAIN To add a principal into that database: addprinc user@YOUR.KERBEROS.DOMAIN
-
Managing the Keytab with ktutil
clear_list – Clears the current keylist read_kt or rkt – Reads a krb5 keytab into the current keylist read_st or rst – Reads a krb4 srvtab into the current keylist write_kt or wkt – Writes the current key listing into a krb5 keytab write_st or wst – Writes the current key listing to a krb4 srvtab add_entry or addent – Adds an entry to the current key listing delete_entry, delent – Deletes an entry from the current key listing list – Lists the current key listing list_requests or lr – Lists available keys
-
Mac OS X: Troubleshooting Kerberos
First make sure your time is within the acceptable skew. Then, your first set of tools is kinit, kdestroy, kpasswd. Or just use the Kerberos.app in /System/Library/CoreServices. Next is kadmin and kadmin.local. More on those later.
-
Kerberos Keys
Kerberos uses keys to transmit information between hosts. There are session keys and service keys kept in the keytab ï¬le on the KDC. The KDC (Key Distribution Center) then does out keys as needed. To see the service keys: klist -k /etc/krb5.keytab
-
What is a Kerberos Realm
A realm is where the kerberos database is stored. The realm lives on one computer (KDC) and can have read-only slave servers (kinda’ like a cluster). Each realm will have a listing in the following files /private/var/db/krb5kdc/ .k5.FQDN.OF.REALM (secret key) kdc.conf (configuration file for the KDC) kadm5.acl (access control list for KDC)
-
Mac OS X Server: Kerberos Realm Name
Mac OS X Server automatically takes the FQDN for the machine and uses that for the Kerberos realm
-
Download Kerberos
Download it here: http://web.mit.edu/kerberos/dist/
-
Build Your Own PAM for OS X
Despite the deep hatred for the in-state rival, I must admit that Georgia Tech has done something nice for the community here: http://www.math.gatech.edu/~villegas/pam_krb5
-
Mac OS X Server: Remove OD
You can fully remove OD with the following command: slapconfig -destroyldapserver Warning – this will wipe all information, so have a backup for most scenario’s where you’re using this!!!