A little more about Kerberos in 10.5: Interestingly, now in Leopard, each and every 10.5 machine is a Kerberos server. In some ways, very cool. Kerberos on its own is a pretty big topic. My fear is that while it's operating as expected, it's going to catch some people by surprise.
In a non-technical nutshell, when a Kerberos-enabled client, connects to my Leopard machine, my machine grants the client a ticket. By default this ticket is good for 10 hours. This ticket enables said client to access resources, such as screen sharing and file sharing without needing a password. The password is given once to obtain the ticket, and from that point on, the ticket is enough to grant access.
This is great when I eject a remote volume and realize, "oops - I needed one more file!" Apple-K, press return and I'm back in, no password needed. Makes my life easier.
However, let's take the scenario where I may be using someone else's Leopard-based machine, and I need to copy a file from my Leopard machine to theirs. I connect to file sharing - giving me a ticket in the process - mount the remote disk, copy the file, and unmount ("eject") it. They have the file, I say goodbye.
The issue is this: there's now a ticket on that machine that will allow access to my machine without requiring that user to eneter a password. It will 'just connect.' For 10 hours!
Now, this is behavior as expected, and one of the benefits of Kerberos. Just don't get bitten!
The easiest way to deal with this is to remember to destroy the ticket on the remote machine. There is a very nicely designed "Kerberos.app" buried waaaaay down. Find it at:
/System/Library/CoreServices/Kerberos.app
Just highlight the ticket, and click on the "destroy" icon. This can also be accomplished via the command line, using the "kdestroy" command.
Surprise! You've been kerberized!
