Kerberos with Mac OS X (10.2)

timothy perfitt tperf at
Tue Sep 17 15:55:06 EDT 2002

On Tuesday, September 17, 2002, at 12:04  PM, Steve Langasek wrote:

> On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote:
>> My question is this:  does the name of a service, ie ftpd, have to be
>> part of the principal name of the service (ie
>> ftpd/ at FOO.COM)?
> This is application-specific.  Some use host/fqdn as their service
> principal; some use an app-specific principal; some have configurable
> behavior.  What ftp server are you using?

The ftp server on Mac OS X Server is xftpd.  When connecting, you get 
this tag line:
server (Version:  Mac OS X Server 10.2 - +GSSAPI) ready.

Apple says that the mail server on Mac OS X is Kerberized, as well as 
ftp (xftpd) and AFP (Apple File Protocol) service.

 From what you wrote, I may need a app specific service principal for 
each service, or the host/FQDN may do, depending on how the service was 
kerberized.  That would make sense with the error messages I am getting 
for the Mail Server.

>> Do I even need a service key in krb5.keytab on the server?
> You need to have one in *some* keytab on the server.  Unless otherwise
> configured, this should be krb5.keytab.

I have tried many different service principals in the krb5.keytab, 
using host/FQDN or <servicename>/FQDN, and lots of others.  All of them 
gave the same error message (except when I removed the krb5.keytab 
file, I got an error that it didn't exist, which tells me that it is at 
least being referenced!).

The error message was from the Apple Mail Server service.  Now that I 
realized that may be application specific, I'll focus on getting xftpd 
up and running.
>> My understanding is that Kerberos provides assurance that a specific
>> user on a specific host is authorized to connect to a specific server.
> Um... no.  Kerberos *authenticates* users, so that the server has
> assurance of the client's identity.  It says nothing about what access
> they should be granted (authorization), just determines who they are
> (authentication).

I was a bit confused as to why the client passes along the ticket for a 
service that it got from the KDC.   I thought this meant that the 
client is authorized to talk to the server.  I now realize that this is 
to prove to the server (or service) that the client talked to the KDC 
and the KDC encrypted the user's credentials with the servers key to 
give a secure way of providing the user's username to the service.

Timothy Perfitt

More information about the Kerberos mailing list