Kerberos and Apple Single Sign-On | Apple Mac OS X Server instruction

Kerberos and Apple Single Sign-On

Built into Open Directory is a robust authentication server that uses MIT’s Kerberos Key Distribution Center (KDC)—providing strong authentication with support for secure single sign-on. That means users need authenticate only once, with a single user name and password pair, for access to a broad range of Kerberized network services.

The following tools are available for setting up your Kerberos and Apple single sign-on environment. For more information about a tool, see the related man page.

Tool (in usr/sbin/)	Description
kdcsetup	Creates necessary setup files and adds krb5kdc and kadmind
	servers for the Apple Open Directory KDC.

sso_util	Sets up, interrogates, and tears down the Kerberos configuration
	within the Apple single sign-on environment.

kerberosautoconfig	Creates the edu.mit.Kerberos file based on the Open Directory
	KerberosClient record.

Backing Up the Kerberos Database

kdb5_util is a tool for maintaining the Kerberos database. The kdb5_util tool is useful for dumping the principal database to text to get a reliable backup. Keep in mind that the data in question is extremely sensitive—creating a copy of it, by definition, decreases your overall security. These backups should be subject to the same security precautions as the other KDC files.

Note: Do not back up the KDC while the krb5kdc process is running.

To dump the KDC’s database:

Replace /path/to/secure/backup with the path to the location you are backing up the database to.

$ sudo kdb5_util dump > /path/to/secure/backup

To load KDC data from a dumped file:

Replace /path/to/secure/backup with the path to the location of your backup database.

$ sudo kdb5_util load /path/to/secure/backup

kdb5_util can be used to create and delete Kerberos databases and to manage the location of the stash file used to encrypt the database as well.

Chapter 15 Working with Open Directory

261

Image 261

Apple Mac OS X Server Kerberos and Apple Single Sign-On, Backing Up the Kerberos Database, To dump the KDC’s database

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Locating Computers for Installation Installing Server SoftwareSpecifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Configuring Network Interfaces Setting Network PreferencesViewing or Changing Media Settings Managing Network Port Configurations Mounting and Unmounting Volumes Working with Disks and VolumesMounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Appendix GlossaryIndex Contents About This Guide Commands and Other Terminal Text Using This GuideCommand Parameters and Options Understanding Notation Conventions Commands Requiring Root Privileges Default Settings Create and manage users, groups, and computer lists. Set up Install Mac OS X Server and set it up for the first timeThis guide Tells you how to Earlier versions of the server Set up and manage QuickTime streaming services Manage directory and authentication services This guide Tells you how to Opening Terminal Executing Commands Path string Description Specifying Files and FoldersTest.c file in the current folder Folder Modifying Flow Control Redirecting Input and OutputRedirect Description Following command in a Terminal window Using Environment Variables Executing Commands and Running Tools Repeating Commands Correcting Typing ErrorsIncluding Paths Using Drag and Drop Searching for Text Within a File Terminating Commands An example of a configured crontab fileScheduling Tasks Sending Commands to a Remote Computer Viewing Command InformationTo access a man $ hdiutil help $ dig -h $ diff --help Executing Commands How SSH Works Understanding Secure Shell Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints Controlling Access to SSH Service What is an SSH Man-in-the-Middle Attack? Using SSH Connecting to a Remote ComputerTo access a remote computer using ssh You’re prompted for the user’s password To enable Telnet access Using TelnetTo disable Telnet access To access a remote computer using telnet To use installer to install Mac OS X Server software Installing Server Software Locating Computers for Installation Preparing the Target Volume for a Clean Installation Specifying the Target Computer VolumeTo list volumes available for server software To list computers on the local network Automating Server Setup Installing from Multiple CDsRestarting After Installation To save a configuration file during server setup Creating a Configuration File Installing Server Software and Finishing Basic Setup Customizing a Configuration File Working with an Encrypted Configuration FileTo provide a passphrase in a file To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Storing a Configuration File in an Accessible Location Configuring the Server Remotely from the Command Line Changing Server Settings Using the serversetup ToolUsing the serveradmin Tool General and Network Preferences Viewing, Validating, and Setting the Software Serial NumberTo display the server’s software serial number To set the server software serial number To install an update To check for available updatesUpdating Server Software To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup Automatic Restart Restarting a ComputerTo restart the local computer To restart a remote computer immediately Changing a Remote Computer’s Startup Disk Shutting Down a ComputerManipulating Open Firmware Nvram Variables Folder Usage Monitoring and Restarting Critical Services Restarting or Shutting Down a Computer Viewing or Changing the Date and Time Viewing or Changing the Computer NameTo display the computer name To change the computer name Viewing or Changing the System Time Viewing or Changing the System DateViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing the Energy Saver Settings Viewing or Changing Sleep SettingsViewing or Changing Automatic Restart Settings Viewing or Changing the Startup Disk Settings Changing the Power Management Settings Viewing or Changing the International Settings Viewing or Changing the Sharing SettingsViewing or Changing Remote Login Settings Viewing or Changing Apple Event Response Viewing and Changing the Login Settings Disables the buttons and 1 enables the buttonsTo view the current setting Configuring Network Interfaces Setting Network Preferences Managing Network Interface Information Viewing Port Names and Hardware AddressesViewing or Changing MTU Values Viewing or Changing Media Settings Managing Network Port ConfigurationsCreating or Deleting Port Configurations Activating Port Configurations Managing TCP/IP Settings To change the order of the port configurationsChanging a Server’s IP Address To change a server’s IP address Run the changeip toolTo change the IP address of a standalone server To view TCP/IP settings for port en0 To list TCP/IP settings for a configurationTo view TCP/IP settings for a particular port or device To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Enabling TCP/IP Working with VLANsIeee 802.3ad Ethernet Link Aggregation Configuring Ethernet Link Aggregation Configuring a Network Interface Managing Snmp Settings Managing AppleTalk Settings Open the /etc/hostconfig file Locate the line Installing SnmpStarting Snmp Immediately above it, add this line To start the snmp agent manually Configuring SnmpTo identify the process id To stop snmpd To view the snmp.conf file Collecting Snmp Information from the HostTo start snmpd, execute this as root Other options in the menu you were working in are Viewing or Changing FTP Proxy Settings Managing Proxy Settings Viewing or Changing Secure Web Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Settings Managing AirPort Settings Viewing or Changing Socks Firewall Proxy SettingsViewing or Changing Proxy Bypass Domains Managing the Computer, Host, and Bonjour Names Computer NameHostname Command displays 0 if the name was changed Managing Preference Files and the Configuration DaemonBonjour Name To display the server’s Bonjour name Changing Network Locations To set the hostname of a systemTo get the hostname of a system This example, the network location will switch to AirPort To view the current locationsComputer will respond with output similar to the following Understanding Disks, Partitions, and the File System Mounting and Unmounting Volumes Unmounting Volumes Mounting VolumesTo unmount a volume To view a list of currently mounted file systems Displaying Disk Information To enable diskspacemonitorMonitoring Disk Space To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To get mount info about a partition To mount a driveTo erase and repartition a disk Command Description To format a Mac OS Extended volume as case-sensitive HFS+Partitioning and Formatting Disks Partitioning a Disk Labeling a Disk Checking for Disk ProblemsFormatting a Disk To fomat a disk Enabling Journaling for an Existing Volume Checking to See If Journaling is EnabledTo see if journaling is enabled To enable journaling Understanding Spotlight Technology Enabling Journaling When You Erase a DiskDisabling Journaling Enabling and Disabling Spotlight Performing Spotlight Searches To enable Spotlight on your serverRestart your server To view the metadata of a file Controlling Spotlight Indexing Managing RAID Volumes Imaging and Cloning Volumes Using ASR To image a boot volumeTo repair a failed mirror To restore a volume from an image Understanding Accounts Working with Users and Groups Creating a Local Administrator User Account for a Server Administering and Creating AccountsTo create a local administrator user account To create an local administrator user with a specific UID To create a domain administrator user account Creating a Domain Administrator User Account Creating a Nonadministrator User Account Checking a User’s Administrator PrivilegesTo find the Guid of the administrator user To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 Removing a User Account Retreiving a User’s GuidTo retrieve a user’s Guid Review the Guid for a particular user Revoking a User’s Right to Access His or Her Account Disable the user account by entering the following commandTo prevent a user from logging To terminate all of a user’s processes To reenable a user account that is disabled Checking a Server User’s Name, UID, or Password Modifying a User Account To change a user account attribute to a new valueAttribute Description To create a mobile account Creating a Mobile User Account To flush the cache Managing Home FoldersCreating a User’s Home Folder To create a home folder for a particular user To create a home folder for users in the local domain Administering Group AccountsMounting a User’s Home Folder To mount a user’s shared home directory on an AFP server To add a group account Creating a Group Account You can remove group accounts by using the dscl tool Removing a Group AccountTo remove a group account You can add users to a group using the dscl tool Adding a User to a GroupTo add a user to a group You can remove users from a group by using the dscl tool Removing a User from a GroupTo remove a user from a group Review the new settings of the group Creating and Deleting Nested Group To create a nested groupTo verify a nested group To unnest a group Editing Group RecordsTo display the information about a particular group To delete a group Creating a Group Folder Viewing the Workgroup a User Selects at LoginTo create a group folder See the CreateGroupFolder man page for more information To import users and groups Importing Users and Groups Creating a Character-Delimited User Import File Writing a Record DescriptionNumber of attributes in each account record 121 Using the StandardUserRecord Shorthand Using the StandardGroupRecord ShorthandAn example user account looks like this Setting Permissions Some examples of permission settingsViewing Permissions Use one of the following values to set the permission level Setting the umask for Individual Users Changing Permissions Use the chmod tool to change permissions for an itemSee the chmod man page for more information Changing the Owner Securing System AccountsChanging the Group Securing Initial System Accounts Enter the root password when prompted To disable root loginSecuring the Root Account Restricting Use of the sudo Tool Securing Single-User Boot Setting Password Policy To set the Open Firmware password for increased securityComputer should restart and display the login window To view the global password policy To change a user’s passwordTo set the minimum password length to 5 characters To set a more secure global password policy Finding User Account Information Access the help prompt and enter the command nameSee the pwpolicy man page for more information To query for a user by name 132 Managing Share Points Working with File Services Creating a Share Point Listing Share PointsTo list existing share points To create a share point Modifying a Share Point To change share point settings Starting and Stopping AFP Service Managing the AFP ServiceChecking AFP Service Status Viewing AFP Settings List of AFP Settings Changing AFP SettingsTo change a setting To change several settings Authentication mode. Can be Allow an administrator user to masquerade as another userWhether the AFP service should restart automatically when Location of the error log Login greeting message Record user logins in the activity logLast time the login greeting was set or updated Default = -1unlimited List of AFP serveradmin Commands Listing Connected Users To list connected usersValue returned by getConnectedUsers Sending a Message to AFP Users Disconnecting AFP UsersTo send a message To disconnect users To cancel a user disconnect Canceling a User DisconnectComputer will repond with the following output Value Description Listing AFP Service Statistics To list service statistic samplesComputer will respond with the following output To view the latest entries in a log Viewing AFP Log FilesTo display the log paths Value displayed by Starting and Stopping NFS Service Managing the NFS ServiceChecking NFS Service Status Viewing NFS Service Settings Starting FTP Service Managing the FTP ServiceStopping FTP Service Checking FTP Service Status Changing FTP Service Settings List of FTP Service SettingsParameter ftp Description Displays a banner message that appears when Directory in which the FTP content is storedPrompted to log in to the FTP. Customize to your Own preferences List of FTP serveradmin Commands Viewing the FTP Transfer LogChecking for Connected FTP Users Starting and Stopping SMB/CIFS Service Managing the SMB/CIFS ServiceChecking SMB/CIFS Service Status Viewing SMB/CIFS Service Settings Changing SMB/CIFS Service Settings List of SMB/CIFS Service SettingsParameter smb Description Advanced pane of Windows service settings in the Server Browser service. Can be set toLow errors and warnings only Medium service start and stop, authentication failures Pane of the Windows service settings in the Server Admin Server’s NetBIOS name. Can be set to a maximumWindows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable Listing SMB/CIFS Users List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Service Statistics Disconnecting SMB/CIFS UsersTo list SMB/CIFS connections Computer responds with the following output Location of the SMB service log Viewing SMB/CIFS Service LogsLocation of the name service log Managing ACLs Following are the permissions applicable to folders Using chmod to Modify ACLsTo grant a user write permission for a file To deny a guest read permission for a file Output should look like the following To view the ACL of a file 160 Understanding the Print Process Working with the Print Service Starting and Stopping Print Service Performing Print Service TasksTo start print service To stop print service Checking the Status of Print Service Viewing Print Service SettingsChanging Print Service Settings Parameter print Description Print Service Settings Parameter printDescription Queue Data Array Managing the Print Service Command printcommand= DescriptionFollowing is an example of a queue array parameter block Listing Queues Pausing a QueueListing Jobs and Job Information To pause a queue Holding a Job To hold a jobTo release the job Viewing Print Service Log Files Viewing Cover PagesTo obtain a list of available cover pages 170 Starting and Stopping NetBoot Service Understanding the NetBoot ServiceTo start NetBoot service To stop NetBoot service Checking NetBoot Service Status Viewing NetBoot SettingsChanging NetBoot Settings Volume parameter array Changing General Netboot Service SettingsParameter netboot Description Storage Record Array Image Record Array Filters Record Array Enabling NetBoot 1.0 for Older NetBoot Clients To enable NetBootPort Record Array Using hdiutil to Work with System Images Booting from an ImageWorking with System Images Updating an Image Imaging Multiple Clients Using Multicast asr Using asr to Restore System Images To configure a client to receive a multicast stream Choosing a Boot Device Using systemsetup Postfix Agent Understanding the Mail Service Mailman Cyrus Starting and Stopping Mail Service Managing the Mail ServiceChecking the Status of Mail Service Viewing Mail Service Settings Parameter mail Description Mail Service Settings Default = 1s Default = 500sDefault = domain Default = += Default = postfix Default = 0sDefault = 1000s Default = -=+ Default = flush Default = flockDefault = 60s Default = postdrop Default = /usr/bin Default = 10sDefault = mail Default = none Default = 7d Default = smtpDefault = qmgr Default = fcntl Default = showq Default = errorDefault = 5d Default = host Default = active Default = incomingDefault = deferred Default = bounce Default = $home Default = virtualDefault = rewrite Default = 600s Default = hash Default = 30sDefault = Default Default = c Default = auxprop Default = cyrus 193 Mail serveradmin Commands Listing Mail Service StatisticsTo list samples Default = srvr.log Viewing the Mail Service LogsTo display the log locations Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Setting Up SSL for Mail Service Generating a CSR and Creating a KeychainEnter a key size at the next prompt, and then press Return 199 Obtaining an SSL Certificate Accessing the Server CertificatesImporting an SSL Certificate into the Keychain To import an SSL certificate into the keychain See the certadmin man page for more information Creating a Password FileTo create a password file To list the certificates stored in the System keychain Enabling Sieve Scripting Configuring Mailboxes Reload the mail service To enable Sieve supportEnabling Sieve Support Sample Sieve Scripts Basic Sort and Anti-Junk Mail Filter Script Self-Defined Forwarding Script Sieve Scripting Resources 206 Files Location Understanding Web Technology Starting and Stopping Web Service Managing the Web ServiceChecking Web Service Status Viewing Web Settings Changing Web Settings Serveradmin and Apache SettingsChanging Settings Using serveradmin Viewing Service Logs Web serveradmin CommandsViewing Service Statistics Listing Hosted Sites V1-Number of requests per second Value you want to display. Valid valuesV2-Throughput bytes/sec V3-Cache requests per second Example Script for Adding a Website Addsite FileAddsite.in File To run the script Tuning the Server Performance Apache Tomcat Working with Application Servers and JavaJBoss Server To start Apache Tomcat MySQL Database To install the default databaseTo start JBoss, enter the following To stop JBoss, enter the following To create a database To set the root passwordTo set the network option To start mysqld Managing Network Services Working with Network Services Starting and Stopping Dhcp Service Managing the Dhcp ServiceChecking the Status of Dhcp Service Viewing Dhcp Service Settings Dhcp Service Settings Changing Dhcp Service SettingsTo see a list of available service settings To change a single Dhcp setting Dhcp Subnet Settings Array About Subnet IDsSubnet Parameter Not set default General pane of the subnet settings in the ServerWins pane of the subnet settings in the Server Lease time in seconds Adding a Dhcp Subnet Corresponds to the NetBIOS Scope ID field in the WinsTo add a subnet Domain name such as apple.com Adding a Dhcp Static Map To add a static mapAbout Static Map IDs Viewing the Dhcp Service Log List of Dhcp serveradmin CommandsCommand Dhcpcommand=Description Determine the location of the Dhcp service logs Starting and Stopping the DNS Service Managing the DNS ServiceChecking the Status of DNS Service Viewing DNS Service Settings DNS Service Settings Changing DNS Service SettingsList of DNS serveradmin Commands Viewing the DNS Service Log Managing the Firewall Service Configuring IP Forwarding Checking the Status of Firewall Service Starting and Stopping Firewall ServiceViewing Firewall Service Settings Firewall Startup Changing Firewall Service Settings Firewall Service SettingsParameter ipfilter Description Defining Firewall Rules Ipfilter Groups with Rules ArrayAdding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Ping cracker.evil.org to determine its IP address Adding Rules Using serveradminTo add a rule An example of this would be similar to the following Ipfilter Rules Array Firewall serveradmin Commands Viewing Firewall Service Log Managing the NAT ServiceUsing Firewall Service to Simulate Network Activity Location of the ipfilter service log Checking the Status of NAT Service Starting and Stopping NAT ServiceViewing NAT Service Settings Changing NAT Service Settings NAT Service Settings NAT serveradmin CommandsParameter nat Description Port Mapping Viewing the NAT Service Log Starting and Stopping VPN Service Managing the VPN ServiceChecking the Status of VPN Service Viewing VPN Service Settings List of VPN Service Settings Changing VPN Service SettingsDefault = Keychain Default = IPSec Default = L2TP Default = ManualDefault = PPP Default = Dsacl Default = Pptp Default = MppeDefault = EAP-RSA Viewing the VPN Service Log List of VPN serveradmin CommandsVPN Service Log on this Restarted. See Using the serveradmin Tool on Configuring Site-to-Site VPN Location of the VPN service logSite-to-Site VPN Adding a VPN Keyagent User IP Failover Prerequisites Setting Up IP FailoverIP Failover Operation Hardware Requirements Enabling IP Failover To enable IP failover Configuring IP Failover Notification OnlyPre and Post Scripts Restoring the Default Configuration for Server Services To restore the NAT service to its default configurationEnabling PPP Dial-In Re-create the two default records To restore the Dhcp service to its default configurationTo restore the Qtss service to its default configuration To restore the DNS service to its default configuration To restore the VPN service to its default configuration Using General Directory Tools Testing Your Open Directory ConfigurationUnderstanding Open Directory Changing Open Directory Service Settings Testing Open Directory Plug-insModifying a Directory Domain Registering URLs with SLP PasswordOptionsString Configuring LdapLDAPTimeoutUnits Default = minutes LDAPServerBackend Managing OpenLDAP Configuring slapd and slurpd Daemons Standard Distribution ToolsTool Used to Idle Timeout Delay RebindIdle Rebinding Options Searching the Ldap Server 256 257 Using Ldif Files Configuring NetInfo Managing NetInfoAdditional Information About Ldap Open Directory Password Server Managing Open Directory PasswordsViewing or Changing Password Policies Enabling or Disabling Authentication Methods Backing Up the Kerberos Database Kerberos and Apple Single Sign-OnTo dump the KDC’s database To load KDC data from a dumped file Principal Management To add a service principalTo add a principal To delete a principal Operating on Directory Service Directory Domains Using Directory Service ToolsUsing kadmin to kerberize a service To kerberize a service from a terminal running on that host Manipulating a Single Named Group Record Finding Network Information Configuring the Active Directory Plug-In Adding or Removing Ldap Server ConfigurationsTo add an Ldap server To remove an Ldap server 266 Understanding QuickTime Streaming Server Performing Qtss Service Tasks Checking Qtss Service Status Starting and Stopping the Qtss ServiceViewing Qtss Settings Changing Qtss Settings Descriptions of Settings Qtss SettingsDefault = qtaccess Look in the sample file for Default = admin Default = digest Managing Qtss Default = qtssListing Current Connections Logs on Viewing Qtss Service Statistics For connections v1, this is integer average numberConnections Forcing Qtss to Reread its Preferences Send a HUP signal to this processTo force Qtss to reread its preferences List the Qtss processes Resetting the Streaming Server Admin User Name and Password Configuring Streaming SecurityTo set up Sites/Streaming/ in older home folders To reset the user name and password Creating an Access File Controlling Access to Streamed Media Quotation marks Between terms, make sure you enclose the entire messagePath and filename of the user file Qtusers Adding User Accounts and Passwords Accessing Protected MediaAdding or Deleting Groups Making Changes to the User or Group File Creating Reference Movies Manipulating QuickTime and MP4 MoviesCreate QuickTime Atom ref movie with extension .qtl Create XML text ref movie with extension .qtl 280 Configuring Your System Logging Configuring the Log File Local Logging To enable remote logging on a client computer Configuring Remote Logging on a Client ComputerConfiguring Remote Logging on a Server Remote Logging Open /etc/rc and locate the following line Or match a single host like this PCI RAID Card Command Reference 286 287 288 Computer account See computer list Glossary Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Securing Chgrp tool ACL access control list Access136 Example Stopping service Naming 41 Restoring images Logs Lpr Backup Cyrus Mail files Error messages command not found Executing commands Dynamic Host Configuration Protocol. See DhcpImage Booting from 176 updating Disk journaling Backing up Principal management 262 tools and utilities Kerberosautoconfig tool 261 keychain QuickTime Streaming Server. See Qtss 302 AFP DNS Used by ldapsearch 255 scheduling tasks Time, viewing or changing 57 Stopping service 239 Terminating commandsViewing service logs Tools for remote configuration