Thanks for your response and time Jason, much appreciated. It sounds like
you in fact have almost the opposite symptoms to me, how strange!
I did find that ldapsearch using -Y for GSSAPI was failing on Mac until I
sorted out the reverse DNS entries for my IPA servers. The symptom was the
Hello David,
I'm experiencing similar issues with ldapsearch command, though no issues
authenticating for logon, ssh (to linux machines), DNS updates, and
directory services. I'm confident the issue lies with MacOS.
I'm running MacOS 10.12.6 and IPA 4.5.
I'll keep digging, just wanted to let
Note.
The GSSAPI attempts from the MAc side are only attempted when a binddn
(security -> "use authentication when connecting") account is provided.
Otherwise I suspect it's unable to even work out what type of GSSAPI
transaction to attempt..
On 19 September 2017 at 15:19, David Harvey
Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3
Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost
functional setup for the last week but have been tearing my hair out with
making GSSAPI behave.
What I have found so far using the config
We run almost the exact same setup...Which is sufficient, but not as
great as it could be (Basically the password changing issues you've
noted). We've also noticed that a single bad login attempt gets counted
multiple times on the IPA server, so you can get locked accounts quicker
than