Robert Kudyba via FreeIPA-users wrote: > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > > It depends on what the expectations are for these user-owned > machines. > > > > > > Only expectation is to be able to log in to a server, get access to > > their home directory and be able to do their assignments, e.g., C++, > > Java or Python programming. > > > > > > If you don't need IPA identities and IPA users won't log into > them, then > > they only need a working krb5.conf and DNS configured on them. > > > > > > So each device needs to drop in the krb5.conf file from the FreeIPA > > server? How does this work on a Windows client? > > From the server? I wouldn't. It is likely going to need some hand-tuning > depending on your configuration. For example the server is going to have > a hardcoded KDC in it. You may or may not want that. > > > So we have to customized the /etc/krb5.conf file that exists on the > server for any student devices.
I mean, you don't want to use ipa-client-install which would do all of this for you, and I understand the reasons, but it does mean some additional work on your part. I don't know your network so at most I can make general suggestions, not provide you a full configuration. In retrospect the default krb5.conf that ships on Fedora provides for includes. I think this is probably your best bet: provide an IPA configuration that resides there and it should co-exist pretty easily with any other configuration. I'm not completely sure about the order of loading and which configuration "wins" when there is conflict. The man page is the place to look. And kcm_default_ccache has instructions on how to enable/run sssd-kcm so that this should work out-of-the-box. That is probably better than having students comment it out, unless you can control the order of what "wins" when there is conflicting configuration. > > > > > > So your students would log into their own controlled machine > using their > > own local account, kinit [email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> and > ssh using their > > credentials. > > > > The krb5.conf will tell the student machine how to contact the > KDC. > > That's all that is necessary (beyond working DNS). > > > > > > I just tried this on another Fedora 33 workstation, dropped in the > > /etc/krb5.conf file and all I get is: > > kinit: No KCM server found while getting default ccache > > You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to > change the default ccache type, or comment out the includes in krb5.conf > (probably easier). > > > OK now I can get any Fedora client to kinit and then ssh. See about for perhaps a less hacky approach than I originally suggested. > > > I'm puzzled as to what we'd need to tell/provide to a student, who is > > enrolled remotely and can't come on campus, to be able to connect > to our > > server via their Windows or Mac laptop. > > I don't know about Windows. I used the Windows MIT Kerberos packages a > decade or more ago and they worked fine with PuTTY (and IPA with > discovery) but whether that applies now or not I have no idea. > > Mac I think should work similar to Linux: provide a krb5.conf and things > should just work. Again, you'll likely have to tweak the configuration > depending on what version of MIT Mac ships these days. > > > kinit --version > > kinit (Heimdal 1.5.1apple1) > > > So my first test with the server krb5.conf file copied into /etc: > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > OURDOMAIN.EDU <http://OURDOMAIN.EDU>, tried 0 KDCs > > > So the first suggestion <https://apple.stackexchange.com/a/273064> I > found was to preface kdc = tcp > > Then I made sure the firewall on the Mac was disabled. I also added the > test IPA server & IP into /etc/hosts. I can ping it successfully. > > What else needs to change? It's difficult to troubleshoot in a void. I don't know your network configuration nor what krb5.conf you're using. It sure looks like discovery of the KDC over DNS failed. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
