sso_util(8) BSD System Manager's Manual sso_util(8)
NAME
sso_util -- Kerberos -- Open Directory Single Sign On
SYNOPSIS
sso_util command [-args]
DESCRIPTION
sso_util is a tool for setting up, interrogating and removing Kerberos configurations within the Apple
Single Sign On environment. This tool can configure services, create and consume encrypted config
records and tear down Kerberos installations
Commands for sso_util :
info [-p] [-g | -l | -L | -r dir_node_path | -s [-R record_name] [-a] [dir_node_path]]
Returns information about the current Single Sign On environment
info command arguments:
-p Returns the data in XML format
-g Returns the default Kerberos realm name
-l Returns a list of the services sso_util knows how to Kerberize
-L Returns the default Kerberos log file paths
-r dir_node_path
Returns whether or not the given node has a Kerberos record associated with it. If it
does, it returns the default realm name. If dir_node_path is '.' (default) it also
returns all the realm names available on the search path
-s Returns information relating to the secure config record attached to a given computer
record in the directory
-R Provides the name of the computer record that contains the secure config record
information
-a Requests all available information on the secure config record
dir_node_path
specifies the directory node in which to search for the computer record
remove [-k [-a admin_name [-p password]] [-d] -r REALM
Tears down a Kerberos KDC
remove command arguments:
-k removes both the krb5kdc and kadmind processes, and their attendant data and config
information
-a If the admin name is present, sso_util will attempt to remove the kdc from the list
of KDCs in the KerberosClient config record in the default directory node
-d Removes the kadmind process. It does not alter any other data
-r Kerberos realm name to remove
configure -r REALM -a admin_name [-p password] service
Configures Kerberized services on the local machine for the given realm
configure command arguments:
-r REALM
Kerberos realm for the service principals
-a admin_name
Account name of an administrator authorized to make changes in the Kerberos database
-p password
Password for the above administrator
service Service can be any number of afp, ftp, imap, pop, smtp, ssh, or all
generateconfig -r REALM -R record_name -f dir_node_path -U user_list -a admin_name [-p password]
service
Creates a secure config record and attaches it to a computer record in the given directory
configure command arguments:
-r REALM
Kerberos realm for the service principals
-R record_name
Name of the Computer record to attach the secure config record to
-f dir_node_path
specifies the directory node in which to find the given computer record
-U user_list
Comma separated list of users authorized to use the secure config record. The users
must be in the same password server as the administrator.
-a admin_name
Account name of an administrator authorized to make changes in the Kerberos database
and also authorized to make changes in the directory node specified by -f
-p password
Password for the above administrator
service Service can be any number of afp, ftp, imap, pop, smtp, ssh, or all
useconfig [-u] [-R record_name] [-f dir_node_path] -a admin_name [-p password]
Uses a secure config record to configure a server for Kerberos
configure command arguments:
-u Forces the update, ignoring that the update may already have been installed
-R record_name
Name of the Computer record containing the secure config record
-f dir_node_path
Specifies the directory node in which to find the given computer record
-a admin_name
Account name of an user authorized to use the secure config record (see
generateconfig)
-p password
Password for the above user
EXAMPLES
To configure a server in realm FOO.COM when you have the Kerberos administrator's password
sso_util configure -r FOO.COM -a kerberos_admin -p password all
To create a secure config record to allow the delegated administrators, Fred and Barney, to configure a
server named fred.foo.com in realm FOO.COM (using an existing computer record). The Open Directory Mas-ter Master
ter for foo.com is odmaster.foo.com. This can be run on any server and neither Fred nor Barney need to
have the Kerberos administrator's password
sso_util generateconfig -r FOO.COM -R fred.foo.com -f /LDAPv3/odmaster.foo.com -U Fred,Barney -a ker-beros_admin kerberos_admin
beros_admin -p password all
To use the secure config record to allow Barney to configure the server named fred.foo.com
sso_util useconfig -R fred.foo.com -f /LDAPv3/odmaster.foo.com -a Barney -p barneys_password
FILES
/etc/krb5.keytab The configure and useconfig commands create or modify the krb5.keytab file.
DIAGNOSTICS
You can add -v debug_level to any of the sso_util commands. Debug level 1 provides status information,
higher levels add progressively more levels of detail. The maximum is level 7.
NOTES
The sso_util tool is used by the Apple Single Sign On system to set up Kerberized services integrated
with the rest of the Single Sign On components.
SEE ALSO
kerberos(1), kerberosautoconfig(8), kdcsetup(8), krbservicesetup(8), krb5kdc(8),
Darwin April 2, 2008 Darwin
|