On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden <[email protected]> wrote:
> > It depends on what the expectations are for these user-owned > machines. > > > > > > Only expectation is to be able to log in to a server, get access to > > their home directory and be able to do their assignments, e.g., C++, > > Java or Python programming. > > > > > > If you don't need IPA identities and IPA users won't log into them, > then > > they only need a working krb5.conf and DNS configured on them. > > > > > > So each device needs to drop in the krb5.conf file from the FreeIPA > > server? How does this work on a Windows client? > > From the server? I wouldn't. It is likely going to need some hand-tuning > depending on your configuration. For example the server is going to have > a hardcoded KDC in it. You may or may not want that. > So we have to customized the /etc/krb5.conf file that exists on the server for any student devices. > > > > So your students would log into their own controlled machine using > their > > own local account, kinit [email protected] > > <mailto:[email protected]> and ssh using their > > credentials. > > > > The krb5.conf will tell the student machine how to contact the KDC. > > That's all that is necessary (beyond working DNS). > > > > > > I just tried this on another Fedora 33 workstation, dropped in the > > /etc/krb5.conf file and all I get is: > > kinit: No KCM server found while getting default ccache > > You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to > change the default ccache type, or comment out the includes in krb5.conf > (probably easier). > OK now I can get any Fedora client to kinit and then ssh. > > I'm puzzled as to what we'd need to tell/provide to a student, who is > > enrolled remotely and can't come on campus, to be able to connect to our > > server via their Windows or Mac laptop. > > I don't know about Windows. I used the Windows MIT Kerberos packages a > decade or more ago and they worked fine with PuTTY (and IPA with > discovery) but whether that applies now or not I have no idea. > > Mac I think should work similar to Linux: provide a krb5.conf and things > should just work. Again, you'll likely have to tweak the configuration > depending on what version of MIT Mac ships these days. > kinit --version kinit (Heimdal 1.5.1apple1) So my first test with the server krb5.conf file copied into /etc: kinit: krb5_get_init_creds: unable to reach any KDC in realm OURDOMAIN.EDU, tried 0 KDCs So the first suggestion <https://apple.stackexchange.com/a/273064> I found was to preface kdc = tcp Then I made sure the firewall on the Mac was disabled. I also added the test IPA server & IP into /etc/hosts. I can ping it successfully. What else needs to change?
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
