I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
did a "dscacheutil -flushcache", both as the logged in user and as root.
I tried enabling the anonymous bind and now also the directory browser
(and all the login process) works as expected.
Nicola
Il 21/12/15 17:39, Cal Sawyer ha scritto:
Thanks, John and Nicola
Kerberos occurred to me as well late in the day yesterday. Happily
(?), knit works fine simply specifying the user in question with no
need to suffix with the kerberos realm
I did find that my test user had an expired password, which i fixed on
the IPA server. This was never flagged up under Linux, btw. It has
not change anything, however, other than not prompting for password
changes that never take effect. Funnily, it expired in the midst of
testing - fun.
I was mistaken when i said i was unable to log in - it turns out that
it takes almost 10 minutes for a login from the frintend to complete -
i just didn't wait long enough. 10 mins is of course unacceptable :)
"su - user" and "login user" fail outright after rejecting accept any
user's password
DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
In line with Nicola's experience, i can browse groups and users in the
Directory Editor and all attributes appear spot on.
Besides modding /etc/pam.d/authorization, adding a corrected
edu.mit.kerberos to /LibraryPreferences and setting up the directory
per linsec.ca, can anyone think of something i may have missed? It's
a real shame that the documentation on this stops around 5 years ago.
IPA devs: is there anything i should be on the lookout for in the
dirsrv or krb5 logs on the IPA master? I've disabled the secondary to
prevent replication from clouding the log events
thanks, everyone
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 |www.blue-bolt.com
On 21/12/15 07:57, Nicola Canepa wrote:
Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
opposite problem: kinit works fine, while I'm unable to see users
with Directory Admin ((it always says it cant' connect, either with
or without SSL)
I disabled anonymous searches in 389-ds, by the way.
Nicola
Il 21/12/15 07:50, John Obaterspok ha scritto:
Hi Cal,
Does a kinit work from a terminal? Does it work if you use "kinit
user" or just if you use "kinit user@REALM.suffix"
-- john
2015-12-20 15:09 GMT+01:00 Cal Sawyer <ca...@blue-bolt.com
<mailto:ca...@blue-bolt.com>>:
Hi, all
I'm attempting to set up LDAP auth (against IPA server 4.10)
from a OSX 10.10.5 (Yosemite) client
Using the excellent instructions at
http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
I've populated the specified files, d/l'd the cert, am able to
configure Users and Groups objects/attribs and browse both from
within OSX's Directory Utility. ldapsearch similarly returns the
expected results.
In spite of this, i'm unable to authenticate as any IPA-LDAP
user on this system
dirsrv log on the ipa master shows no apparent errors - remote
auth attempts exit with "RESULT err=0 tag=101 nentries=1
etime=0", but tell the truth, there so much stuff there and
being rather inexperienced with LDAP diags i might easily be
missing something in the details
The linsec.ca <http://linsec.ca> instructions were written in
the 10.7-10.8 era so something may have changed since. Having
said that, we've had no problems authenticating against our
existing OpenLDAP server (which IPA is slated to replace) right
up to 10.10.5 with no zero to our Directory Utility setup.
Hoping someone here has some contemporary experience with OSX
and IPA and for whom this issue rings a bell?
many thanks
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 <tel:%2B44%20%280%2920%207637%205575> |
www.blue-bolt.com <http://www.blue-bolt.com>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona
diversa dal destinatario sono proibite la diffusione, la distribuzione e la
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle
parti.
The content of the above communication is strictly confidential and reserved
solely for the referred addressees. In the event of receipt by persons
different from the addressee, copying, alteration and distribution are
forbidden. If received by mistake we ask you to inform us and to destroy and/or
delete from your computer without using the data herein contained. The present
message (eventual annexes inclusive) shall not be considered a contractual
proposal and/or acceptance of offer from the addressee, nor waiver recognizance
of rights, debts and/or credits, nor shall it be binding when not executed as
a subsequent agreement by persons who could lawfully represent us. No
pre-contractual liability shall apply to us when the present communication is
not followed by any binding agreement between the parties.
--
Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona
diversa dal destinatario sono proibite la diffusione, la distribuzione e la
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle
parti.
The content of the above communication is strictly confidential and reserved
solely for the referred addressees. In the event of receipt by persons
different from the addressee, copying, alteration and distribution are
forbidden. If received by mistake we ask you to inform us and to destroy and/or
delete from your computer without using the data herein contained. The present
message (eventual annexes inclusive) shall not be considered a contractual
proposal and/or acceptance of offer from the addressee, nor waiver recognizance
of rights, debts and/or credits, nor shall it be binding when not executed as
a subsequent agreement by persons who could lawfully represent us. No
pre-contractual liability shall apply to us when the present communication is
not followed by any binding agreement between the parties.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
