• News
• Articles
• Tutorials

You know my name

....look up the number.

In Greek mythology Kerberos, also known as Cerberus, was the hound of Hades who guarded the gates and ensured that the dead could not leave and the living could not enter.

In computer terms Kerberos is a protocol that allows users to prove their identity on a network in a secure manner without ever having to send your password over the network. This means that even if your log-on is intercepted by a third party they cannot pretend to be you.

Single Sign-on

That’s all well and good in the insecure world of the Internet but what benefit can Kerberos have to a network of Macs that might not even be connected to the Internet?

Kerberos is also the foundation of something called Single Sign-on in both OS X Server and Microsoft’s Active Directory.

With Single Sign-on you only need to enter your password once and then you have access to all of the network resources that you are allowed to access. Instead of having to remember different passwords for each server that you access you are simply granted access straight away.

Now if you were thinking that this sounds a bit like the Keychain you would be right, to an extent. With Keychain you still have all the different user names and passwords but you have a master password that unlocks them all. With Single Sign-on you have just the one user name and password so that when you change your password for one server you change it for all of those that are in the Kerberos realm.

Scratching the Surface

Kerberos is one of those bits of OS X Server that don’t get a lot of publicity but really deserve to. One of the issues with OS X Server giving you so much in the box, as opposed to Windows Server 2003 for example, is that few people really do more than scratch the surface of what it is capable of. In the Windows world you buy Windows Server which is the bedrock and then on that you build the server that you want to buy, buying the bits that you want such as a mail server, a database, collaboration and messaging tools or system management.

With OS X you get all of that in the box at no extra charge. If you don’t pay for something then subconsciously you don’t perceive it as having any value and so you don’t go looking for ways to use it. If you have paid good money for an extra feature then you make darned sure that you use it.

If you have OS X Server you have all of the tools necessary to set up Kerberos but first you need to configure a good few other things that come in the box.

You need to have a working DNS on your network, have Open Directory set-up as well and you definitely need to ensure that all of your Macs have the same date and time, usually by taking sure that they have access to the same time server.

Managed Networks

If you are thinking that all of that sounds horribly complicated you would be right, a lot of it is but there are great benefits to having a proper network rather than just a bunch of computers that are connected together. As Mac users we are used to managing our own systems, treating each of them as a separate entity rather than as part of the whole network. In the Windows world it is the opposite. On a Windows network you almost
always have systems that are managed centrally and consistently, and you can connect to any server that you have the right to access straight away without having to retype passwords etc. Your Mac becomes a much more powerful tool when it is part of a managed network.

As well as having Single Sign-on, if you have network or mobile home directories set-up on the server you can hot desk, logging on to any computer on the network that you are authorised to access and getting your desktop and documents presented to you as if you were on the same computer that you always use. If you have a fault and need to replace your computer you don’t have to worry about copying all of your data over as it is held on the network, all your preferences and even your desktop picture.

If you have a Mac running OS X Server look into all of the other things that it can do besides just being a simple file server. If you have more than one server you absolutely need to look at tying them together to make life easier for your users.

Client Management

Once you have a managed network in place a lot of other things become much easier. One key thing, particularly relevant for education but also useful in larger companies, is the ability to be able to manage client computers on the network. This is similar to what is known as Group Policy in the Windows world but on OS X it is known as MCX, or Managed Client for X.

Once you have Client Management in place you can start to do things such as control who can log onto which computers so that only the Media Studies students can use the Final Cut Pro workstations, disable USB or FireWire storage devices so that staff can’t walk off with customer data, control who can use which applications so that Key Stage 3 students can only use GarageBand but Key Stage 4 ones can use Logic Studio.

Open Directory / Directory Services

The cornerstone of both Single Sign-On and client management on the Mac is Apple’s Open Directory. Open Directory is not a single technology but instead is a framework that supports a number of different directory services including LDAP, which is used by Mac OS X Server, Active Directory, NIS and BSD flat-file and can be extended to support Novell’s eDirectory/NDS.

That’s a very dry way of looking at Directory Services. Essentially what we are doing is making the server aware of people and resources within an organisation and, with the new Directory application in Mac OS X 10.5, the relationships between them. As well as managing user names and passwords it is possible to create groups of users with common needs and interests, e.g. crossfunctional groups working on a project, and from that you can create group blogs & wikis, and add meeting rooms, projectors, etc. to the directory so that their use can be scheduled with iCal server.

Active Directory Integration

Not everybody uses OS X Server to host their Directory Services, many organisations will already have another directory in place such as Microsoft’s Active Directory and in these cases it doesn’t make sense to have a separate Directory Services infrastructure in place for the Mac users, as that will mean replicating much of the work that has already been done in setting up Active Directory.

The good news is that we can use Active Directory with our Macs to create one managed network that looks after users no matter what OS they are using. There are four main ways to do this, using the standard OS X Client, using a configuration known as the Golden Triangle, using Augmented Records or using an alternative client from Thursby called ADmitMac.

Apple's AD Client

Out of the box OS X is able to connect to an Active Directory network so that users have to authenticate against the server every time that they log-on. You can have the user’s home directory stored on the server as opposed to the local machine but apart from that there are no other real options. Management of the client is not possible and you can only find people in the Address Book if you know who you are looking for, since you cannot browse the directory. With Mac OS X 10.4 there are limitations in that users cannot access data stored on Microsoft Distributed File System volumes or any volumes at all if the network uses Signed SMB. In order to connect a 10.4 Mac to a shared volume the network administrator has to reduce the security level of the network.

It is not obvious to the user why they cannot connect to a volume, they are either told that their username or password is incorrect or they get an error -36. In order to find the real reason you have to go hunting in the console logs. Mac OS X 10.5 Leopard brings support for Signed SMB but it still cannot connect to a DFS volume. There was DFS support in some of the beta versions of Leopard but this was removed from the final product and as of Mac OS X 10.5.1 it has
not returned.

The standard OS X client is also used as part of the Golden Triangle and Augmented Records solutions so that same limitations with respect to Signed SMB and DFS will apply. If you need access to Signed SMB from Mac OS X 10.4 or to DFS you will need to use ADmitMac.

Golden Triangle

With the Golden Triangle we use Active Directory and Open Directory running together. Macs on the network use the standard OS X Client to authenticate against Open Directory and to get the location of their home directory. They also authenticate against an Open Directory server, which in turn also authenticates against Active Directory. You cannot apply MCX policies from the Open Directory server directly to Active Directory users without making changes to Active Directory itself, something that most AD admins will not be prepared to sanction, but what you can do is to create user groups within Open Directory and then add AD users to those groups. Once you have done that you can then apply MCX policies to the Open Directory groups and when the user authenticates against OD as part of their login the appropriate MCX policies are passed down to their Mac.
Additionally you can create computer accounts within Open Directory that allow you to control which groups of users can login to each computer. You can create a Golden Triangle if you have computers and servers running either Mac OS X 10.4 or 10.5. 

Augmented Records

An Augmented Records set-up takes the Golden Triangle one step further by allowing you to add information to the user’s directory record that is not available from Active Directory, for example to add in details of a user’s iChat name or their photo, but it will only work with Mac OS X 10.5 clients.

When the user looks up information in the directory it pulls information from both Active Directory and Open Directory and combines the two. There is one limitation, Open Directory cannot over-ride Active Directory and so if there is incorrect information in the Active Directory record you cannot simply add the correct information to your Open Directory server.

ADmitMac

Thursby’s ADmitMac replaces the standard OS X Active Directory client with it’s own that adds a number of benefits including support for Signed SMB and DFS, as mentioned earlier. ADmitMac can migrate existing local accounts to network based accounts, you can control how many times a user can log into the Mac without it being connected to the network, you can allow users from only specified OUs to log into a particular Mac. ADmitMac can also create file and printer shares on the Mac that are part of the AD domain.

If a Mac user has been delegated administrative rights for their part of an AD domain then ADmitMac provides a tool called AD Commander to allow administration of AD from a Mac Finally ADmitMac allows you to use Workgroup Manager to push MCX settings out to managed clients without the need for OS X server or for making changes to Active Directory.