Subject: Re: Authenticating MacOS-X against NetBSD
To: Henry B. Hotz <hotz@jpl.nasa.gov>
From: Michael Bartosh <mbartosh@4am-media.com>
List: port-macppc
Date: 06/17/2003 12:08:47
On Tue, 17 Jun 2003, Henry B. Hotz wrote:

> At 1:28 PM -0400 6/17/03, Aron Roberts wrote:
> >actually as I recall Mac OS X doesn't use /etc/passwd (or shadow)
> >for authentication.  It uses netinfo which in it's current form
> >looks very LDAPish to me though I can't say I have actually looked
> >into it.
> >
> >
> >On Tuesday, June 17, 2003, at 01:04  PM, David wrote:
> >
> >>	Is anything authenticating users logging into a MacOS-X box
> >>	against a NetBSD server, via NIS, Samba, or some other method?
> >>
> >>	Actually I suppose I could rsync the password files across, but it
> >>	somehow seems inelegant :)
>
> Not *so* bad, but you would need to configure netinfo to use the
> actual password file instead of it's internal database.  man netinfo,
> lookupd, nidump.
>
> NIS is supported.  Look at the Directory Access utility.
>
> The currently preferred method is to use LDAP.  Again look at the
> Directory Access utility.
>
> Kerberos, unfortunately, is not currently supported.  It was
> announced for Jaguar.  According to last year's WWDC you should be
> able to set the AuthenticationAuthority attribute to
> "1.0;Kerberos;<realm>" in the LDAPv3 plugin, but it doesn't work for
> me.  (It's also not in the published LDAPv3 plugin source code.)
> There is enough mention of Kerberos in the program for this year's
> WWDC that I am hoping to see a solution for Panther.
>
> Now that I glance at the Directory Access utility I see that "BSD
> configuration files" is an option so maybe you don't need to dig
> through those netinfo man pages to use the rsync solution after all.
>
> If you do this then note that the security services PAM module will
> implement the Directory Access settings.  Don't go monkeying with PAM
> independently if you don't need to.  Also if you tell the screen
> saver to require the login password then it will.
>
> Note, when I mentioned Kerberos, that I did *not* tell you to look at
> an Apple tech note that tells you how to modify /etc/authorization to
> make loginWindow use Kerberos.  That will work for console login, but
> it does not affect the screen saver or PAM.

True enough. pam_krb5 doesn't build, either.

>
> Have fun!
> --
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>