sso_util(8) BSD System Manager's Manual sso_util(8)
NAME
sso_util -- Kerberos -- Open Directory Single Sign On
SYNOPSIS
sso_util command [-args]
DESCRIPTION
sso_util is a tool for setting up, interrogating and tearing down Ker-
beros configurations within the Apple Single Sign On environment. This
tool can configure services, create and consume encrypted config records
and tear down Kerberos installations
Commands for sso_util :
info [-p] [-g | -l | -L | -r dir_node_path | -s [-R record_name] [-a]
[dir_node_path]]
Returns information about the current Single Sign On environment
info command arguments:
-p Returns the data in XML format
-g Returns the default Kerberos realm name
-l Returns a list of the services sso_util knows how to
kerberize
-L Returns the default Kerberos log file paths
-r dir_node_path
Looks in the given node and returns wether or not it
has a Kerberos record associated with it and if so
returns the default realm name. if dir_node_path is
'.' (default) it also returns all the realm names
available on the search path
-s Returns information relating to the secure config
record attached to a given computer record in the
directory
-R Provides the name of the computer record to retrive the
secure config record info from
-a Requests all the available information on the secure
config record
dir_node_path
specifies the directory node in which to search for the
computer record
remove [-k [-a admin_name [-p password]] [-d]
Tears down a Kerberos KDC
remove command arguments:
-k removes both the krb5kdc and kadmind processes, and
their attendant data and config information
-a If the admin name is present, sso_util will attempt to
remove the kdc from the list of KDCs in the Ker-
berosClient config record in the default directory node
-d Removes the kadmind process. It does not alter any
other data
configure -r REALM -a admin_name [-p password] service
Configures Kerberized serivces on the local machine for the
given realm
configure command arguments:
-r REALM
Kerberos realm for the service principals
-a admin_name
Account name of an administrator authorized to make
changes in the Kerberos database
-p password
Password for the above administrator
service Service can be any number of afp, ftp, imap, pop, smtp,
ssh, or all
generateconfig -r REALM -R record_name -f dir_node_path -U user_list -a
admin_name [-p password] service
Creates a secure config record and attaches it to a computer
record in the given directory
configure command arguments:
-r REALM
Kerberos realm for the service principals
-R record_name
Name of the Computer record to attach the secure config
record to
-f dir_node_path
specifies the directory node in which to find the given
computer record
-U user_list
Comma separated list of users authorized to use the
secure config record. The users must be in the same
passwords server as the admin
-a admin_name
Account name of an administrator authorized to make
changes in the Kerberos database and also authorized to
make changes in the directory node specified by -f
-p password
Password for the above administrator
service Service can be any number of afp, ftp, imap, pop, smtp,
ssh, or all
useconfig [-u] [-R record_name] [-f dir_node_path] -a admin_name [-p
password]
Uses a secure config record to configure a server for Kerberos
configure command arguments:
-u Forces the update, ignoring that the update may already
have been installed
-R record_name
Name of the Computer record contining the secure config
record
-f dir_node_path
Specifies the directory node in which to find the given
computer record
-a admin_name
Account name of an user authorized to use the secure
config record (see generateconfig )
-p password
Password for the above user
EXAMPLES
To configure a server in realm FOO.COM when you have the kerberos admin-
istrators password
sso_util configure -r FOO.COM -a kerberos_admin -p password all
To create a secure config record to allow the delegated admins, fred and
barney, to configure a server named fred.foo.com in realm FOO.COM (using
an existing computer record). The Open Directory Master for foo.com is
odmaster.foo.com. This can be run on any server and neither fred nor bar-
ney need to have the Kerberos administrators password
sso_util generateconfig -r FOO.COM -R fred.foo.com -f /LDAPv3/odmas-
ter.foo.com -U fred,barney -a kerberos_admin -p password all
To use the secure config record to allow barney to configure the server
named fred.foo.com
sso_util useconfig -R fred.foo.com -f /LDAPv3/odmaster.foo.com -a barney
-p barneys_password
FILES
/etc/krb5.keytab The configure and useconfig commnads create or modify
the krb5.keytab file.
DIAGNOSTICS
You can add -v debug_level to any of the sso_util commands. Debug level 1
provides status information, higher levels add progressivly more levels
of detail.
NOTES
The sso_util tool is used by the Apple Single Sign On system to set up
Kerberized services integrated with the rest of the Single Sign On compo-
nents.
SEE ALSO
kerberos(1), kerberosautoconfig(8), kdcsetup(8), krbservicesetup(8),
krb5kdc(8),
Darwin June 12, 2008 Darwin
Mac OS X 10.4 Server - Generated Thu Jun 12 20:00:31 CDT 2008