sso_util(8) BSD System Manager's Manual sso_util(8)
NAME
sso_util -- Kerberos -- Open Directory Single Sign On
SYNOPSIS
sso_util command [-args]
DESCRIPTION
sso_util is a tool for setting up, interrogating and tearing down Ker- beros configurations within the Apple Single Sign On environment. This tool can configure services, create and consume encrypted config records and tear down Kerberos installations Commands for sso_util : info [-p] [-g | -l | -L | -r dir_node_path | -s [-R record_name] [-a] [dir_node_path]] Returns information about the current Single Sign On environment info command arguments: -p Returns the data in XML format -g Returns the default Kerberos realm name -l Returns a list of the services sso_util knows how to kerberize -L Returns the default Kerberos log file paths -r dir_node_path Looks in the given node and returns wether or not it has a Kerberos record associated with it and if so returns the default realm name. if dir_node_path is '.' (default) it also returns all the realm names available on the search path -s Returns information relating to the secure config record attached to a given computer record in the directory -R Provides the name of the computer record to retrive the secure config record info from -a Requests all the available information on the secure config record dir_node_path specifies the directory node in which to search for the computer record remove [-k [-a admin_name [-p password]] [-d] Tears down a Kerberos KDC remove command arguments: -k removes both the krb5kdc and kadmind processes, and their attendant data and config information -a If the admin name is present, sso_util will attempt to remove the kdc from the list of KDCs in the Ker- berosClient config record in the default directory node -d Removes the kadmind process. It does not alter any other data configure -r REALM -a admin_name [-p password] service Configures Kerberized serivces on the local machine for the given realm configure command arguments: -r REALM Kerberos realm for the service principals -a admin_name Account name of an administrator authorized to make changes in the Kerberos database -p password Password for the above administrator service Service can be any number of afp, ftp, imap, pop, smtp, ssh, or all generateconfig -r REALM -R record_name -f dir_node_path -U user_list -a admin_name [-p password] service Creates a secure config record and attaches it to a computer record in the given directory configure command arguments: -r REALM Kerberos realm for the service principals -R record_name Name of the Computer record to attach the secure config record to -f dir_node_path specifies the directory node in which to find the given computer record -U user_list Comma separated list of users authorized to use the secure config record. The users must be in the same passwords server as the admin -a admin_name Account name of an administrator authorized to make changes in the Kerberos database and also authorized to make changes in the directory node specified by -f -p password Password for the above administrator service Service can be any number of afp, ftp, imap, pop, smtp, ssh, or all useconfig [-u] [-R record_name] [-f dir_node_path] -a admin_name [-p password] Uses a secure config record to configure a server for Kerberos configure command arguments: -u Forces the update, ignoring that the update may already have been installed -R record_name Name of the Computer record contining the secure config record -f dir_node_path Specifies the directory node in which to find the given computer record -a admin_name Account name of an user authorized to use the secure config record (see generateconfig ) -p password Password for the above user
EXAMPLES
To configure a server in realm FOO.COM when you have the kerberos admin- istrators password sso_util configure -r FOO.COM -a kerberos_admin -p password all To create a secure config record to allow the delegated admins, fred and barney, to configure a server named fred.foo.com in realm FOO.COM (using an existing computer record). The Open Directory Master for foo.com is odmaster.foo.com. This can be run on any server and neither fred nor bar- ney need to have the Kerberos administrators password sso_util generateconfig -r FOO.COM -R fred.foo.com -f /LDAPv3/odmas- ter.foo.com -U fred,barney -a kerberos_admin -p password all To use the secure config record to allow barney to configure the server named fred.foo.com sso_util useconfig -R fred.foo.com -f /LDAPv3/odmaster.foo.com -a barney -p barneys_password
FILES
/etc/krb5.keytab The configure and useconfig commnads create or modify the krb5.keytab file.
DIAGNOSTICS
You can add -v debug_level to any of the sso_util commands. Debug level 1 provides status information, higher levels add progressivly more levels of detail.
NOTES
The sso_util tool is used by the Apple Single Sign On system to set up Kerberized services integrated with the rest of the Single Sign On compo- nents.
SEE ALSO
kerberos(1), kerberosautoconfig(8), kdcsetup(8), krbservicesetup(8), krb5kdc(8), Darwin June 12, 2008 Darwin
Mac OS X 10.4 Server - Generated Thu Jun 12 20:00:31 CDT 2008