Services for Macintosh |
With Windows 2000 Server and Services for Macintosh, network security is enforced for Macintosh users in the same way it is enforced for Windows 2000 users. The same user accounts and passwords are used by Windows 2000 and Macintosh.
Macintosh users are logged on to a computer that is running Windows 2000 Server through one of the three following authentication schemes:
With Services for Macintosh, you can set up guest users and allow users who do not have domain or workgroup accounts to log on to the server that is using a Macintosh. With the Windows 2000 guest account, you can specify what access to resources a guest user is allowed; administrators usually grant guest users fewer permissions than users who have accounts on the server. If the guest logon option is enabled, the server always approves the logon request without requiring a password.
Cleartext password protection is part of the AppleShare client software on Macintosh computers. It provides less security than encrypted passwords because the password is sent over the network as cleartext, which is vulnerable to detection by sniffers. Cleartext password protection is offered for Macintosh users who use the standard AppleShare client software or System 7 Filing sharing.
Note
If the Windows 2000–based server permits cleartext passwords, as well as encrypted passwords, the Macintosh switches automatically to the encrypted authentication method.
Services for Macintosh offers two encryption methods to Macintosh clients.
In both of the encrypted password authentication schemes, the password itself is never sent over the network. Instead, the server provides a random number and the password is applied to the random number as an encryption key. The encrypted random number is sent over the network to the server. The server, which must be configured to store the user's password (or its derivative) in reversibly encrypted form, uses the password to encrypt the same random number. The two results are compared, and if both match, the user is authenticated.
Services for Macintosh does not support Kerberos authentication.
A user can log on in one of two ways:
If the user enters domain\username, the logon mechanism uses the domain that has been specified to authenticate the user.
If the user enters only username, the server first checks the local account; if it finds the correct user name, it logs the user on. If the user name is not found, the server checks the primary domain account (the domain for the server). If this fails, the server checks all trusted domains to find the user name. If the user name occurs in more than one trusted domain, the server logs on to the first domain in which it finds the user name, which might or might not be the wanted account.
Services for Macintosh uses the same user accounts database as the Windows 2000–based server or its domain. Therefore, if you already have Windows 2000 Server accounts for the people who are using Macintosh computers on the network, you do not have to create additional accounts. You must create accounts only for users who do not already have accounts on the computer or domain that is running Windows 2000 Server and Services for Macintosh.
One aspect of Windows 2000 Server user accounts, the user's primary group, applies only to Services for Macintosh. The user's primary group is the group the user works with most, and it should be the group with which the user has the most resource needs in common. When a user creates a folder on a server, that user becomes its owner. The owner's primary group is set as the group associated with the folder. The administrator or owner can change the group associated with the folder.