Kerberos with Mac OS X (10.2)
tperf at twocanoes.com
Tue Sep 17 15:55:06 EDT 2002
On Tuesday, September 17, 2002, at 12:04 PM, Steve Langasek wrote:
> On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote:
>> My question is this: does the name of a service, ie ftpd, have to be
>> part of the principal name of the service (ie
>> ftpd/somehost.foo.com at FOO.COM)?
> This is application-specific. Some use host/fqdn as their service
> principal; some use an app-specific principal; some have configurable
> behavior. What ftp server are you using?
The ftp server on Mac OS X Server is xftpd. When connecting, you get
this tag line:
server (Version: Mac OS X Server 10.2 - +GSSAPI) ready.
Apple says that the mail server on Mac OS X is Kerberized, as well as
ftp (xftpd) and AFP (Apple File Protocol) service.
From what you wrote, I may need a app specific service principal for
each service, or the host/FQDN may do, depending on how the service was
kerberized. That would make sense with the error messages I am getting
for the Mail Server.
>> Do I even need a service key in krb5.keytab on the server?
> You need to have one in *some* keytab on the server. Unless otherwise
> configured, this should be krb5.keytab.
I have tried many different service principals in the krb5.keytab,
using host/FQDN or <servicename>/FQDN, and lots of others. All of them
gave the same error message (except when I removed the krb5.keytab
file, I got an error that it didn't exist, which tells me that it is at
least being referenced!).
The error message was from the Apple Mail Server service. Now that I
realized that may be application specific, I'll focus on getting xftpd
up and running.
>> My understanding is that Kerberos provides assurance that a specific
>> user on a specific host is authorized to connect to a specific server.
> Um... no. Kerberos *authenticates* users, so that the server has
> assurance of the client's identity. It says nothing about what access
> they should be granted (authorization), just determines who they are
I was a bit confused as to why the client passes along the ticket for a
service that it got from the KDC. I thought this meant that the
client is authorized to talk to the server. I now realize that this is
to prove to the server (or service) that the client talked to the KDC
and the KDC encrypted the user's credentials with the servers key to
give a secure way of providing the user's username to the service.
More information about the Kerberos