Friday Round Up: Kerberos, Hydroponics

Posted on

Because I haven't posted much of anything this week, I thought I would take today to round up all the topics I would have covered, had I posted them. ^_^ There has been a lot going on this week that I wanted to share, and so little time to post it.

I have to admit, I had never before really got Kerberos. I understand why someone would want a single sign on solution, and why it's necessary to have an authentication system that doesn't pass your password. But it never really made a lot of sense to me until I started working with the Mac OS X Server platform. Why then? Because OS X Server makes initializing Kerberos so relatively easy (more on that later) that utilizing it makes sense.

For those that are not familiar with Kerberos, it's an authentication method that allows for authentication through tickets, instead of username-password authentication packets. The tickets are encrypted, and are time-stamped to keep the integrity of the system.

Apparently, based on the entries I have seen in various forums, it's a beast to get running properly in any platform. But Mac OS X Server integrates it with the Open Directory Master, so as long as your DNS is working properly (and you have your server's DNS entry in your /etc/hosts file), you can have a relatively consistent Kerberos experience right out of the box. This is great for any small to medium-sized business that is looking for a single sign on solution for their server environment.

So, Kerberos is working.. Now what? What can you use it for? Well, Mac OS X Server has the following services that are kerberized (compatible with Kerberos):

Directory Services
Apple File Protocol (AFP)
Windows Services (SMB)
Virtual Private Networking (VPN)
File Transfer Protocol (FTP)

So, you can Kerberize your access to these features. Granted, not everyone in a mixed platform environment can utilize AFP, but most everyone can utilize Samba in one form or another, so you have your single sign on file server.

Then, you can utilize single sign on for Directory login, or network access. Because Apple's Open Directory is just LDAPv3 (OpenLDAP), directory services can be integrated into any platform. That means you can even integrate your Windows system into Open Directory for a Kerberized login.

VPN is defaulted to Layer 2 Transfer Protocol (L2TP), but if you need to, you can set it up for Point to Point Transfer Protocol (PPTP). As you can set up a Kerberized access for it anyway, both solutions can be very convenient.

Mail is the example used in the Server Essentials Kerberos video. It's easy to see why you would want a kerberized mail system set up for business email, and Mail is all set for Kerberos.

FTP didn't make that much sense to me, except for the simple text user ID and password that is used to transfer the files. As it uses your Directory account to control FTP access, it becomes your weakest link. That alone is the best reason to kerberize the service.

I don't have a lot to say about Xgrid, because I haven't ever used it and I don't have an environment that requires it. Needless to say, it looks cool, and anything that is kerberized can't be all bad. ^_^

There is a rumor that the Team server in OS X 10.5 will be kerberized, along with iChat server. If that's that case it will eliminate most of the weakest links in the services that are used within a business, making the solution that much more attractive to larger businesses.

I'm going to be playing with Kerberos and kerberized services within the next few weeks as I prepare for the Apple Certified Systems Administrator certification, so hopefully I will be able to shed more light on the service.

Hydroponics Update
I just wanted to post that my first experiment with hydroponics and starter plants seems to be working! My cucumbers just started to sprout, and I'm really excited! I figure that the pumpkins will be next, followed by the artichokes and perhaps the pansies. As soon as I get some greenery, I'll post a picture. ^_^

So, that has been my week so far. I'm working on a new server deployment for the classroom, and starting this next week I will be preparing myself for the Office 2007 offerings that we are starting this Summer. For those looking for Office 2007 training (and you will probably need it, as it's so different from previous versions), feel free to check out our offerings at!