I wrote some instructions that I tested on Lion, I just haven't posted them anywhere yet.
On IPA Server: ipa host-add --force client1.example.com ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab copy the keytab to /etc/krb5.keytab on the client. Ensure permissions are 600. use sudo ktutil -k /etc/krb5.keytab list to check the keytab #### client1.example.com $ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 1 aes256-cts-hmac-sha1-96 host/client1.example....@example.com 1 aes128-cts-hmac-sha1-96 host/client1.example....@example.com 1 des3-cbc-sha1 host/client1.example....@example.com 1 arcfour-hmac-md5 host/client1.example....@example.com #### /etc/krb5.conf #### for Mac OS X 10.7 Lion (Tested on 10.7.3) #Version 1.0 [logging] admin_server = FILE:/var/log/krb5kdc/kadmin.log kdc = FILE:/var/log/krb5kdc/kdc.log [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] ###### End /etc/krb5.conf #### In /etc/ssh_config #### for Mac OS X 10.7 Lion (Tested on 10.7.3) GSSAPIAuthentication yes GSSAPIDelegateCredentials no GSSAPIKeyExchange yes GSSAPITrustDNS no #### End /etc/ssh_config #### In /etc/ssh/ssh_config #### RHEL 6.2 w/ ipa-server 2.1.3-9 GSSAPIAuthentication yes GSSAPICleanupCredentials yes #### end /etc/ssh/ssh_config Kerberos was swapped out from snow leopard to lion. Lion uses Heimdahl instead of Kerberos. If you need a realms section because you are setting DNS lookups to false in krb5.conf, you have to do it like this: [realms] EXAMPLE.COM = { admin_server = tcp/ipa0.example.com:749 default_domain = salab.redhat.com kdc = tcp/ipa0.example.com:88 } If you don't do tcp/ heimdahl uses UDP by default. Good Luck.. Brian -- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Mar 14, 2012, at 11:57 PM, Hagenrud Håkan wrote: > Hello > > I just joined this list so please excuse if this question has been asked > > Is anyone out there binding mac clients (10.7.x) to IPA? > > I have tried it with some success. The mac-client can join the IPA domain and > the Kerberos domain but no user from the domain can log in to the > mac-computer. My guess is that I need to map the LDAP values from IPA with > what the mac-client expects. > > Anyone? > > Thanks > > Håkan Hagenrud > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users