Directory Services. MacSysAdmin 2012

Size: px

Start display at page:

Download "Directory Services. MacSysAdmin 2012"

Griselda McGee
5 years ago
Views:

1 Directory Services MacSysAdmin 2012

2 Directory Services in 15 Minutes

3 Directory Services in 50 Minutes

4 Happy 9th Anniversary

5 See MacSysAdmin 2010 Session

6 2008

7 2009

8 Didn't update DS book for 10.7

9 Didn't update DS book for 10.8

10 I'll cover 10.7 & 10.8 now.

11 Agenda Directory Services brief basics What's new

12 Directory Services is Dead Long live directory services

13 What's Wrong With Directory Services?

14 No iphone Login

15 No ipad Login

16 It's chatty!

17 No, I'm, just kidding. It's not chatty. Appletalk was chatty.

18 Well, no, I'm half-serious. It is somewhat problematic.

19 Directory Based Preferences Management Client constantly checks in with Directory Service Problems when node isn't available User has to wait for timeouts

20 But We Do Need DS Centralized: Identification Authentication Authorization

21 Provide or Consume Servives? Either way, DS are probably involved

22 Changes in 10.7 and 10.8 OS X OS X Server

23 OS X DS Changes Password hash in user record New daemon Different logging Different Kerberos

28 New Daemon <=10.6: DirectoryService >=10.7: opendirectoryd

30 DS Logging No more killing odutil syslog

31 REPLACED

33 odutil odutil set log debug odutil set log default /var/log/opendirectoryd.log

34 syslog syslog -c 0 -d syslog -w syslog -c 0 off

35 Break For Bananas

39 Australian Cyclones Decimate Bananas Cyclone Larry 2006 Cyclone Yasi 2011 No importing

40 But Wait!

42 OS X Server DS Changes Dual-directory still valid OD Master not as necessary Fun SSL Stuff Password Service changed No importing from upstream node No more augments

43 Dual Directory Still Valid AD Users in OD Groups Edit SACLs for OD Groups OD AD Authentication OS X Bind OS X to both nodes Bind ODM to AD

44 Open Directory Server Basics LDAP Password Server Kerberos Service

45 Open Directory Server Basics LDAP: Identification Password Server: Authentication Kerberos: Both

50 Automatically created with Profile Manager

51 OD Master and SSL Open Directory Certification Authority (ODCA) ODCA signs Intermediate_1 Intermediate_1 signs hostname certificate Intermediate_1 signs code signing certificate

52 Password Server Basics Provides SASL authentication when not using Kerberos

53 Password Server Password Server replication source of problems <10.7 /var/db/authserver/ Now replicated with LDAP replication Hidden in LDAP (cn=authdata)

54 No Import From Upstream Node 10.7 stashed imported user info in /Library/Preferences/ com.apple.servermgr_accounts.imports.plist

55 No Import From Upstream Node Edit Access to Services instead of importing

56 No More Augments

57 History of Augment User Records Provided attributes for user records for OS X Server services Missing attributes like network home folder Allowed user to access service(s) "Very Fancy Cylinder"

58 I [Miss Hate] Augments Provided missing AD network home value Sorry, I don't know what to say for 10.8

59 Easy Verification Steps DNS Identification Authentication Authorization

60 "It's Always DNS" host dig nslookup service records

61 DNS and Active Directory Use AD DNS host -t _ldap._tcp.ssh22.com host -t _kerberos._tcp.ssh22.com host -t _kpasswd._tcp.ssh22.com host -t _gc_.tcp.ssh22.com

62 id arekdreyer Verify Identification

63 Verify Authentication dscl /Search -authonly arekdreyer <password> No feedback = successful authentication More on Kerberos later

64 Verify Authorization Not easy Edit Access to Services for account Service log might have something, probably not

65 Demonstration

70 Let's Talk Kerberos

71 Identification and Authentication

72 Single Sign-on Enter credentials once Access services seamlessly

73 Kerberos Basics Key Distribution Center Kerberized Service Kerberized User KDC holds all the secrets Services trust User by way of Kerberos tickets

74 Kerberos Heimdal instead of MIT Better support for multiple realms

75 But OS X currently seems to prefer WELLKNOWN:COM.APPLE.LKDC for OS X Server OS X and AD pretty OK

76 Verify Kerberos (Client) Ticket Viewer klist --list-caches

77 Ticket Viewer /System/Library/CoreServices No default identity

87 klist -l or --list-caches klist

88 dsconfigad -enablesso OS X Server and AD

89 Kerberos Troubleshooting System time within 5 minutes DNS syslog -c 0 -d; syslog -w

95 Recap Directory Services basic basics What's new in OS X What's new in OS X Server A few troubleshooting hints

96 Directory Services MacSysAdmin 2012

Understanding the Local KDC

Appendix C Understanding the Local KDC The local Key Distribution Center (LKDC) facilitates single sign-on for Apple Filing Protocol (AFP) file sharing and screen sharing, and although it is outside the