Lesson 10: Managing Local Network Accounts Flashcards
Configure local network accounts; Import local network accounts; Describe authentication types; Understand basic Kerberos infrastructure; Configure global password policy
What tool can you use to check the ability to obtain a Kerberos ticket?
Ticket Viewer is in /System/Library/CoreServices, and you can use it to confirm the ability to obtain a Kerberos ticket.
How do you import local network users from a text file with a properly formatted header line?
Choose Manage > Import Accounts from File, select the text file, choose Local Network Accounts in the pop-up menu, provide directory administrator credentials, and click Import.
What are some reasons that a client computer might not be able to use Kerberos authentication to access a service?
- The client computer might not be bound to a directory service that provides Kerberos
- The system time between the client computer and the server computer might be off by more than five minutes
- There could be a DNS configuration issue
- The service might not be configured to use Kerberos
In addition to authentication, what else can Kerberos provide?
Kerberos provides identification and authentication.
How can you disable a local network user account so that it cannot be used to access services or log in on a bound Mac?
In the User pane of the Server app, double-click the user to edit the user, and deselect the checkbox “Allow user to log in.”
What are some examples of global password policies that you can apply to users that apply the next time they change their password?
Some examples include:
- Passwords must differ from account name
- Contain at least one letter
- Contain both uppercase and lowercase letters
- Contain at least one numeric character
- Contain a character that isn’t a letter or number
- Contain at least a given number of characters
- Differ from the last given number of passwords used
What are some examples of global password policy you can configure to disable login after certain events occur?
Some examples include that login will be disabled:
- On a specific date
- After using it for a given number of times
- After inactive for a given number of days
- After a user makes a given number of failed attempts
How does a user obtain a Kerberos service ticket?
Once a user has a ticket-granting ticket, OS X automatically attempts to obtain a service ticket when a user attempts to connect to a Kerberized service.
