Thanks for your response and time Jason, much appreciated. It sounds like you in fact have almost the opposite symptoms to me, how strange! I did find that ldapsearch using -Y for GSSAPI was failing on Mac until I sorted out the reverse DNS entries for my IPA servers. The symptom was the ldapsearch error output referring to the IP of the machine rather than the hostname - even though I defined the host by name not IP for the command. A host file entry got it working as a "stop gap", before I could add my RDNS entry (I'm using Amazon route53 so the scope for me to have screwed up the DNS is considerable). Prior to this entry I just had the DNS bits from "ipa dns-update-system-records --dry-run", but now I have 2x RDNS entries added for the main names of my IPA servers (but not yet for the ipa-ca.domain.net)
Just to confirm, are you using a bind account in order to connect with Directory Utility? Best, David On 19 September 2017 at 23:16, Jason Sherrill via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello David, > > I'm experiencing similar issues with ldapsearch command, though no issues > authenticating for logon, ssh (to linux machines), DNS updates, and > directory services. I'm confident the issue lies with MacOS. > > I'm running MacOS 10.12.6 and IPA 4.5. > > I'll keep digging, just wanted to let you know you've been heard. > > > - Jason > > > > > > On Tue, Sep 19, 2017 at 10:40 AM, David Harvey via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Note. >> >> The GSSAPI attempts from the MAc side are only attempted when a binddn >> (security -> "use authentication when connecting") account is provided. >> Otherwise I suspect it's unable to even work out what type of GSSAPI >> transaction to attempt.. >> >> On 19 September 2017 at 15:19, David Harvey <davidchar...@googlemail.com> >> wrote: >> >>> Some edits and expansion on my previous attempt to post... >>> >>> Free IPA 4.4.3 >>> Mac OSX 10.12 >>> >>> Thanks for all the hard work on this, I've been enjoying an almost >>> functional setup for the last week but have been tearing my hair out with >>> making GSSAPI behave. >>> >>> What I have found so far using the config instructions - may be error >>> prone now as the number of combinations tried! >>> >>> Anonymous bind enabled on freeipa: Works If you also specify a real >>> user in the Directory Utility auth >>> RootDSE only enabled on freeipa : Works If you also specify a real >>> user in the Directory Utility auth section (not a service account) >>> No anonymous binds : Will not play at all. >>> >>> >>> Now the thing that is really throwing me, is that GSSAPI ldapsearch >>> works just fine from the command line (using -Y GSSAPI) but directory >>> utility seems unable to use these credentials. >>> I'm totally unsure if this is an OS limitation (as the login screen >>> wouldn't have any creds until a user has typed them) or if I've managed to >>> screw something up. >>> From browsing my LDAP access logs it looks like only conventional binds >>> are attempted regardless. On the mac side it did until recently still >>> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these >>> couldn't be found int he LDAP log. It feels like the Mac client is unable >>> to work out how to present the krb credential due to a mapping issue or DNS >>> discovery issue (both my IPA servers have RDNS entries). >>> >>> Other notable log entries on the Mac side are " failed to retrieve >>> password for credential", and "failed to retrieve server schema". These >>> both occur under the rootdse only ldap config. >>> >>> I'd like to be in a position where I can either have a very reduced >>> access LDAP user enabled on all Mac clients, or that they can harness the >>> host or user keytab in order to require no special LDAP credentials of >>> their own. >>> >>> Most of all I suppose I want to know what should work, or be workable! >>> >>> Hope this makes sense, and thanks in advance, >>> >>> David >>> >>> p.s. I'm still not sure if I've managed to join this list, so subject to >>> moderation, and I might require an explicit reply to in order to get >>> responses! >>> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > > > -- > > *Jason Sherrill* > *IT Specialist* > Deeplocal Inc. <http://deeplocal.com/> > mobile: 412-636-2073 <(412)%20636-2073> > office: 412-362-0201 <(412)%20362-0201> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org