Note.

The GSSAPI attempts from the MAc side are only attempted when a binddn
(security -> "use authentication when connecting") account is provided.
Otherwise I suspect it's unable to even work out what type of GSSAPI
transaction to attempt..

On 19 September 2017 at 15:19, David Harvey <davidchar...@googlemail.com>
wrote:

> Some edits and expansion on my previous attempt to post...
>
> Free IPA 4.4.3
> Mac OSX 10.12
>
> Thanks for all the hard work on this, I've been enjoying an almost
> functional setup for the last week but have been tearing my hair out with
> making GSSAPI  behave.
>
> What I have found so far using the config instructions - may be error
> prone now as the number of combinations tried!
>
> Anonymous bind enabled on freeipa: Works If you also specify a real user
> in the Directory Utility auth
> RootDSE only enabled on freeipa    : Works If you also specify a real user
> in the Directory Utility auth section (not a service account)
> No anonymous binds                        : Will not play at all.
>
>
> Now the thing that is really throwing me, is that GSSAPI ldapsearch works
> just fine from the command line (using -Y GSSAPI) but  directory utility
> seems unable to use these credentials.
> I'm totally unsure if this is an OS limitation (as the login screen
> wouldn't have any creds until a user has typed them) or if I've managed to
> screw something up.
> From browsing my LDAP access logs it looks like only conventional binds
> are attempted regardless. On the mac side it did until recently still
> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
> couldn't be found int he LDAP log.  It feels like the Mac client is unable
> to work out how to present the krb credential due to a mapping issue or DNS
> discovery issue (both my IPA servers have RDNS entries).
>
> Other notable log entries on the Mac side are " failed to retrieve
> password for credential", and "failed to retrieve server schema". These
> both occur under the rootdse only ldap config.
>
> I'd like to be in a position where I can either have a very reduced access
> LDAP user enabled on all Mac clients, or that they can harness the host or
> user keytab in order to require no special LDAP credentials of their own.
>
> Most of all I suppose I want to know what should work, or be workable!
>
> Hope this makes sense, and thanks in advance,
>
> David
>
> p.s. I'm still not sure if I've managed to join this list, so subject to
> moderation, and I might require an explicit reply to in order to get
> responses!
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to