OSX: user / system belongs to the domain and LKDC

Recommended for you: Get network issues from WhatsUp Gold. Not end users.


These days in the improvement of a past script, the script based on the authentication domain user belongs, automatic all shared resources of the Department, the user login, automatic installation, convenient for the user to access. In my environment domain in one of three ways: AD (Active Directory directory service of Microsoft), OD (Open Directory directory services of Apple) and Local (local login service). Before, because only consider the relatively simple situations, such as local only a particular administrator user, the other is AD network users, and the machine configuration AD authentication plug-ins, Mobile users, not open so, judge the domain a user, can be very simple to use the following command:

dscl . list /Users/$userName
This command on the local user database for the user, is found, that is a local user.

But the problem is, if open Mobile options, then one of the other domain authentication of the user, the first after the landing, the system would generate the user in the local user database. Because the Mobile option means, all have logged in on this machine user, can be in the absence of the authentication service of any other land; namely, the user can take the computer home / travel to work, or landing in the absence of network online case. Thus, the above command will misjudge the user is a local user.

The solution is actually very simple, for example, determine whether the user belongs to a specific directory service user group, can also be done judgment.

However, through online search, found the OSX system authentication command more use and internal mechanism, therefore, recorded under the arrangement of ideas.


Since 10.5, Apple introduced a new authentication mechanism, it is apple computer between a simple one-to-one sharing SSO (Single-Sign-On) certification service, this is Local KDC, referred to as LKDC.

For the role of KDC, detailed contents and authentication mechanism of Kerberos protocol, and online a lot, of course, the most authoritative is also the MIT's official website.

Each apple system, has its own KDC (Key Distribution Center), when a service to a user access to the machine, to the KDC request, KDC according to the user's situation, gave him a Key is used to access the service.

When OS X system initialization, it would be for the computer, to generate a certificate, the certificate can be found in the system key chain, as shown below. It is the use of SHA1 encryption.

In the key chain in the com.apple.kerberos.kdc certificate of the final Fingerprints, you can see the SHA1 encryption certificate form of characters,

On the command line, how to find it, since the local users to get local authentication, the user information should be embodied in, then look for:
dscl . read /Users/$(users)

It is not difficult to find in the AuthenticationAuthority and have the relevant information, then:
dscl . read /Users/$(users) AuthenticationAuthority | grep $(users)@LKDC:
In order to verify a user authentication is not local, you can use the above command.
The method above limit: in the above analysis, this method is only applicable to OS, X 10.5 system, is a system supporting LKDC.

LKDC uses:

OD will use the machine itself in time management computer account has LKDC certificate. In a machine is added to the OD, although adding when the use of the machine, but Apple's OD will also use the machine itself LKDC certificate. For example, laptopA computer account in OD record:

1) laptopA$
2) laptopA.local$
3) LKDC:SHA1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx$
The last is the LKDC certificate. Such problems may arise, for example, the internal system of image making use the clone mode, the system is applied to another machine, the two machines will receive the same LKDC certificate, LKDC certificate that second identical machine when it joined the OD, although the two machines use a different name, OD also has the same error that LKDC certificate machines have joined. This certificate and we saw above the com.apple.kerberos.kdc certificate as like as two peas.

In order to solve this problem, use the following command to generate a, can solve the problem.
rm -fr /var/db/krb5kdc

The use of LKDC not only so simple, When you use with your apple Apple ID/iClound after landing, OS X using the LKDC certificate to establish an encrypted IPSec connection, In order to realize the temporary response based on wide area Bonjour point-to-point conversation, This not only limits and screen and file sharing, A user remote control your Mac started offering from the MobileMe function and the Mac to be associated with a MobileMe/iCloud account, Then the owner of the account MobileMe/iCloud could connect to the Mac.

Find all the domain:
Remember the architecture of Golden Triangle have said in the past, is connected to the AD-OD-Client architecture, is the AD user authentication, OD provides the framework user / computer configuration management. The general situation of apple computer, user authentication is the most used AD, OD, Local of the three domains, of course the implementation of other Linux/Unix LDAPv3, is also based on the same principle, there is no environment, so only in front of the three test. The three domains with different combinations in different network environments for client management. For example, a separate AD, AD+ Local (Mobile users), OD (an apple network users), OD+ Local, AD+ OD, AD+ OD+ Local and so on, the administrator can according to different management requirements and the network environment.
Even the same network environment, management based on demand, may also use different ways. Then the actual situation to use what way can compare the general explanation of connected domain of current computer?
Through trial and error, using the odutil show nodeNames can make a list of names for each node domain, and then use the dscl command can be injected traversal access all the nodes domains.

The following is a relatively common AD+ OD+ node domain Local example:


Name                                      State  Refs Type         External Locked Hidden 
----------------------------------------- ------ ---- ------------ -------- ------ ------ 
/Active Directory                         Online 2                          X      X      
/Active Directory/EDU                     Online 14                                       
/Active Directory/EDU/All Domains         Online 17   Virtual node                        
/Active Directory/EDU/Global Catalog      Online 18   Virtual node                 X      
/Active Directory/EDU/ebc.bc.com                 2    Virtual node                 X      
/Active Directory/EDU/edu.ebc.com         Online 15   Virtual node                 X      
/Active Directory/EDU/org.ebc.com         Online 5    Virtual node                 X      
/Active Directory/EDU/public.ebc.com             2
/Active Directory/EDU/tss.ebc.com                2    Virtual node                 X      
/Configure                                Online 1                          X      X      
/Contacts                                 Online 3                                        
/LDAPv3                                   Online 2                          X      X      
/LDAPv3/S379ees2.edu.ebc.com              Online 15                                       
/Local                                           2                          X      X      
/Local/Default                            Online 30                         X             
/NIS                                             1                          X      X      
/Search                                   Online 39                                       

LKDC question:

Peer-To-Peer Kerberos:


Back to My Mac: http://en.wikipedia.org/wiki/Back_to_My_Mac

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Sabrina at December 22, 2013 - 9:43 AM