Dog of Three Heads

Between September 2005 and July 2011 I was a regular contributor to MacFormat in the UK.

Whereas I’m posting the published articles for my MacWarehouse writing, with the MacFormat ones I’ve decided to post the text as submitted, including any comments that I included for design. I am, however, allowing myself a few small edits for clarity.

The particular one is is the original version of my Sixteenth column, written in November 2006, which was discarded as being too business related for the typical MacFormat reader. This is presented purely as a historical record as much, if not all, of the information contained in it may well have changed in the meantime.

Dog of Three Heads

In Greek mythology Kerberos, also known as Cerberus, was the hound of Hades who guarded the gates and ensured that the dead could not leave and the living could not enter.

In computer terms Kerberos is a protocol that allows users to prove their identity on a network in a secure manner without ever having to send your password over the network. This means that even if your log-on is intercepted by a third party they cannot pretend to be you.

That’s all well and good in the insecure world of the Internet but what benefit can Kerberos have to a network of Macs that might not even be connected to the Internet? Kerberos is also the foundation of something called Single Sign-on in OS X Server and also in Microsoft’s Active Directory.

With Single Sign-on you only need to enter your password once and then you have access to all of the network resources that you are allowed to access. Instead of having to remember different passwords for each server that you access you are simply granted access straight away. Now if you were thinking that this sounds a bit like the Keychain you would be right, to an extent. With Keychain you still have all the different user names and passwords but you have a master password that unlocks them all. With Single Sign-on you have just the one user name and password so that when you change your password for one server you change it for all of those that are in the Kerberos realm.

So how do we go about setting up Single Sign-on? Kerberos is one of those bits of OS X Server that don’t get a lot of publicity but really deserve to. One of the issues with OS X Server giving you so much in the box, as opposed to Windows Server 2003 for example, is that few people really do more than scratch the surface of what it is capable of. In the Windows world you but Windows Server which is the bedrock and then on that you build the server that you want buy buying the bits that you want such as a mail server, a database, collaboration and messaging tools or system management. With OS X you get all of that in the box at no extra charge. If you don’t pay for something then subconsciously you don’t perceive it as having any value and so you don’t go looking for ways to use it. If you have paid good money for an extra feature then you make darned sure that you use it.

If you have OS X Server you have all of the tools necessary to set up Kerberos but first you need to configure a good few other things that come in the box. You need to have a working DNS on your network and you probably ought to have Open Directory set-up as well and you definitely need to ensure that all of your Macs have the same date and time, usually by making sure that they have access to the same time server.

If you are thinking that all of that sounds horribly complicated you would be right, a lot of it is but there are great benefits to having a proper network rather than just a bunch of computers that are connected together. As Mac users we are used to managing our own systems, treating each of them as a separate entity rather than as part of the whole network. In the Windows world it is the opposite. On a Windows network you almost always have systems that are managed centrally and consistently, and you can connect to any server that you have the right to access straight away without having to retype passwords etc. Your Mac becomes a much more powerful tool when it is part of a managed network. As well as having Single Sign-on you can hot desk, logging on to any computer on the network that you are authorised to access and getting your desktop and documents presented to you as if you were on the same computer that you always use. If you have a fault and need to replace your computer you don’t have to worry about copying all of your data over as it is held on the network, all your preferences and even your desktop picture.

If you have a Mac running OS X Server look into all of the other things that it can do besides just being a simple file server. If you have more than one server you absolutely need to look at tying them together to make life easier for your users.

Comment on this post

This site uses Akismet to reduce spam. Learn how your comment data is processed.