Mac OS X SIG

I realize now that writing technical articles in a word processor isn't the best way to go, since it's a pain to revisit and edit things later (once you find a mistake, which is invitable). So, I'm taking the original article I wrote and reprocessing it here. (Figuring out how to make a nifty inline box for easier reading of code entries helped out, too.)

This article's a broad-stroke outline on how to integrate Samba 3, OpenLDAP, Kerberos and AFP in Leopard Server, specifically as it would apply here at Stanford. What this gets you:

• Filesharing services to both Macs and Windows clients
• Using the campus' OpenLDAP directory for account provisioning
• Using the main campus Kerberos realm for authentication
• Using Open Directory for delegating share access using ACLs

Many of us have Stanford Desktop Tools on our machine, or at least have a proper edu.mit.Kerberos file (aka krb5.conf) so that we can use Kerberos authentication for email programs like Mail.app or Eudora, web browsers like Safari with HTTP Negotiate, and other single sign-on services like filesharing. But out-of-the-box, we're faced with double-authentication scenarios, where we first log into our Mac, then we face a Kerberos dialogue box (where we enter our SUNet ID and password). Wouldn't it be nice to get our Kerberos credentials at the same time we log in?

This is a blog that is intended to compliment complement Stanford's Mac OS X Special Interest Group email list. It's community supported, which means it's not the voice of any department or school on campus. The content is heavily skewed towards the Stanford environment, and the content is edited by Stanford affiliates. The whole site, though, is public and Google-able, just like the Mailman email list group archives are public.

The instructions provided by ITS for integrating stanford.edu Kerberos keytabs are here. However well written, it's clear they're geared for Unix or Linux administrators.

It's actually easier for Mac admins, in my opinion, since you have the campus Unix/Linux cluster machines to use, your Mac server already has the Kerberos bits built in, and you don't have to compile or install AFS components, either.

The version of MT that's available through Software Licensing is 3.34, while 3.35 was released on April 17, 2007, and and there's been a "mandatory security update" to 3.36 released on Jan 15, 2008. So, I instead took the plunge and downloaded Movable Type 4.1 instead.

I want to say that we have WebAuth working on 10.5.2, but it's not. At least not yet.

At issue is the changes undertaken in web services between 10.4 and 10.5. They're quite substantial.

Tiger's web server was Apache 1.3, was 32-bit and either built for PowerPC or, later, to be "universal" to additionally run on Intel processors. Leopard's web server is a whole other beast. The default web server is now Apache 2.2, it's all 64-bit and it's built for four different processor families.

This will pose some challenges.