27.4  Starting Open Directory and Kerberos settings

In Open Directory, it is possible to authenticate users against the password server (refer to chapter 10  Mapping users from directory services) or the Kerberos server (for details, see chapter 27  Kerberos Authentication). As mentioned in chapter 10  Mapping users from directory services, authentication against the password server does not require any additional settings, while Kerberos authentication might be quite difficult to configure. This chapter therefore focuses on correct setting of the authentication against the Kerberos server in Open Directory.

After Mac OS X Server's startup, make sure that both the Open Directory service and the Kerberos server are running. This can be done in the Server Admin application (Applications → Server → Server Admin).

The welcome dialog of Server Admin consists of two basic sections. The left one includes a list of hosts and services which are running at these hosts. This section also includes the host where the Open Directory service is supposed to be started. If the service is already running, it is bold and marked with a green symbol (see figure 27.10  The Open Directory service).

The Open Directory service

Figure 27.10. The Open Directory service


The right section usually includes information about the selected service, its logs and settings.

The directory service should be started automatically by the first startup of the Mac OS X Server. If it is not running, mark it by the mouse pointer and click the Start Service button at the toolbar. In the right section of the window, find out which Open Directory services are and which are not running (see figure 27.10  The Open Directory service). The Kerberos entry is important. If the Kerberos server is running, no additional settings are required. If not, check out the following issues:

  1. On the Settings tab, the server must be set as Open Directory Master. Authentication is required to edit these settings. Use username and password of the administrator account which was created in the Open Directory, for example the diradmin user (see figure 27.11  Setting of administration username and password ).

    Setting of administration username and password

    Figure 27.11. Setting of administration username and password


  2. The DNS service must be configured correctly.

  3. DNS name (hostname) of the server where Open Directory is running must be set correctly.

Once the Kerberos server is started successfully, it is recommended to test correct configuration by the kinit utility. Simply open the prompt line and use the following command:

kinit -S host/name_KMS@KERBEROS_REALM user_name

for example:

kinit -S host/mail.company.com@COMPANY.COM diradmin

If the query was processed correctly, you will be asked to enter password for the particular user. Otherwise, an error will be reported.

Note: Logs available on the Logs tab can be helpful for troubleshooting.