[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

2017-09-20 Thread David Harvey via FreeIPA-users 
Thanks for your response and time Jason, much appreciated. It sounds like
you in fact have almost the opposite symptoms to me, how strange!
I did find that ldapsearch using -Y for GSSAPI was failing on Mac until I
sorted out the reverse DNS entries for my IPA servers.  The symptom was the
ldapsearch error output referring to the IP of the machine rather than the
hostname - even though I defined the host by name not IP for the command.
A host file entry got it working as a "stop gap", before I could add my
RDNS entry (I'm using Amazon route53 so the scope for me to have screwed up
the DNS is considerable).  Prior to this entry I just had the DNS bits from
"ipa dns-update-system-records --dry-run", but now I have 2x RDNS entries
added for the main names of my IPA servers (but not yet for the
ipa-ca.domain.net)

Just to confirm, are you using a bind account in order to connect with
Directory Utility?

Best,

David

On 19 September 2017 at 23:16, Jason Sherrill via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello David,
>
> I'm experiencing similar issues with ldapsearch command, though no issues
> authenticating for logon, ssh (to linux machines), DNS updates, and
> directory services. I'm confident the issue lies with MacOS.
>
> I'm running MacOS 10.12.6 and IPA 4.5.
>
> I'll keep digging, just wanted to let you know you've been heard.
>
>
> - Jason
>
>
>
>
>
> On Tue, Sep 19, 2017 at 10:40 AM, David Harvey via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Note.
>>
>> The GSSAPI attempts from the MAc side are only attempted when a binddn
>> (security -> "use authentication when connecting") account is provided.
>> Otherwise I suspect it's unable to even work out what type of GSSAPI
>> transaction to attempt..
>>
>> On 19 September 2017 at 15:19, David Harvey 
>> wrote:
>>
>>> Some edits and expansion on my previous attempt to post...
>>>
>>> Free IPA 4.4.3
>>> Mac OSX 10.12
>>>
>>> Thanks for all the hard work on this, I've been enjoying an almost
>>> functional setup for the last week but have been tearing my hair out with
>>> making GSSAPI  behave.
>>>
>>> What I have found so far using the config instructions - may be error
>>> prone now as the number of combinations tried!
>>>
>>> Anonymous bind enabled on freeipa: Works If you also specify a real
>>> user in the Directory Utility auth
>>> RootDSE only enabled on freeipa: Works If you also specify a real
>>> user in the Directory Utility auth section (not a service account)
>>> No anonymous binds: Will not play at all.
>>>
>>>
>>> Now the thing that is really throwing me, is that GSSAPI ldapsearch
>>> works just fine from the command line (using -Y GSSAPI) but  directory
>>> utility seems unable to use these credentials.
>>> I'm totally unsure if this is an OS limitation (as the login screen
>>> wouldn't have any creds until a user has typed them) or if I've managed to
>>> screw something up.
>>> From browsing my LDAP access logs it looks like only conventional binds
>>> are attempted regardless. On the mac side it did until recently still
>>> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
>>> couldn't be found int he LDAP log.  It feels like the Mac client is unable
>>> to work out how to present the krb credential due to a mapping issue or DNS
>>> discovery issue (both my IPA servers have RDNS entries).
>>>
>>> Other notable log entries on the Mac side are " failed to retrieve
>>> password for credential", and "failed to retrieve server schema". These
>>> both occur under the rootdse only ldap config.
>>>
>>> I'd like to be in a position where I can either have a very reduced
>>> access LDAP user enabled on all Mac clients, or that they can harness the
>>> host or user keytab in order to require no special LDAP credentials of
>>> their own.
>>>
>>> Most of all I suppose I want to know what should work, or be workable!
>>>
>>> Hope this makes sense, and thanks in advance,
>>>
>>> David
>>>
>>> p.s. I'm still not sure if I've managed to join this list, so subject to
>>> moderation, and I might require an explicit reply to in order to get
>>> responses!
>>>
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
>
> --
>
> *Jason Sherrill*
> *IT Specialist*
> Deeplocal Inc. 
> mobile: 412-636-2073 <(412)%20636-2073>
> office: 412-362-0201 <(412)%20362-0201>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

2017-09-19 Thread Jason Sherrill via FreeIPA-users 
Hello David,

I'm experiencing similar issues with ldapsearch command, though no issues
authenticating for logon, ssh (to linux machines), DNS updates, and
directory services. I'm confident the issue lies with MacOS.

I'm running MacOS 10.12.6 and IPA 4.5.

I'll keep digging, just wanted to let you know you've been heard.


- Jason





On Tue, Sep 19, 2017 at 10:40 AM, David Harvey via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Note.
>
> The GSSAPI attempts from the MAc side are only attempted when a binddn
> (security -> "use authentication when connecting") account is provided.
> Otherwise I suspect it's unable to even work out what type of GSSAPI
> transaction to attempt..
>
> On 19 September 2017 at 15:19, David Harvey 
> wrote:
>
>> Some edits and expansion on my previous attempt to post...
>>
>> Free IPA 4.4.3
>> Mac OSX 10.12
>>
>> Thanks for all the hard work on this, I've been enjoying an almost
>> functional setup for the last week but have been tearing my hair out with
>> making GSSAPI  behave.
>>
>> What I have found so far using the config instructions - may be error
>> prone now as the number of combinations tried!
>>
>> Anonymous bind enabled on freeipa: Works If you also specify a real user
>> in the Directory Utility auth
>> RootDSE only enabled on freeipa: Works If you also specify a real
>> user in the Directory Utility auth section (not a service account)
>> No anonymous binds: Will not play at all.
>>
>>
>> Now the thing that is really throwing me, is that GSSAPI ldapsearch works
>> just fine from the command line (using -Y GSSAPI) but  directory utility
>> seems unable to use these credentials.
>> I'm totally unsure if this is an OS limitation (as the login screen
>> wouldn't have any creds until a user has typed them) or if I've managed to
>> screw something up.
>> From browsing my LDAP access logs it looks like only conventional binds
>> are attempted regardless. On the mac side it did until recently still
>> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
>> couldn't be found int he LDAP log.  It feels like the Mac client is unable
>> to work out how to present the krb credential due to a mapping issue or DNS
>> discovery issue (both my IPA servers have RDNS entries).
>>
>> Other notable log entries on the Mac side are " failed to retrieve
>> password for credential", and "failed to retrieve server schema". These
>> both occur under the rootdse only ldap config.
>>
>> I'd like to be in a position where I can either have a very reduced
>> access LDAP user enabled on all Mac clients, or that they can harness the
>> host or user keytab in order to require no special LDAP credentials of
>> their own.
>>
>> Most of all I suppose I want to know what should work, or be workable!
>>
>> Hope this makes sense, and thanks in advance,
>>
>> David
>>
>> p.s. I'm still not sure if I've managed to join this list, so subject to
>> moderation, and I might require an explicit reply to in order to get
>> responses!
>>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 

*Jason Sherrill*
*IT Specialist*
Deeplocal Inc. 
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

2017-09-19 Thread David Harvey via FreeIPA-users 
Note.

The GSSAPI attempts from the MAc side are only attempted when a binddn
(security -> "use authentication when connecting") account is provided.
Otherwise I suspect it's unable to even work out what type of GSSAPI
transaction to attempt..

On 19 September 2017 at 15:19, David Harvey 
wrote:

> Some edits and expansion on my previous attempt to post...
>
> Free IPA 4.4.3
> Mac OSX 10.12
>
> Thanks for all the hard work on this, I've been enjoying an almost
> functional setup for the last week but have been tearing my hair out with
> making GSSAPI  behave.
>
> What I have found so far using the config instructions - may be error
> prone now as the number of combinations tried!
>
> Anonymous bind enabled on freeipa: Works If you also specify a real user
> in the Directory Utility auth
> RootDSE only enabled on freeipa: Works If you also specify a real user
> in the Directory Utility auth section (not a service account)
> No anonymous binds: Will not play at all.
>
>
> Now the thing that is really throwing me, is that GSSAPI ldapsearch works
> just fine from the command line (using -Y GSSAPI) but  directory utility
> seems unable to use these credentials.
> I'm totally unsure if this is an OS limitation (as the login screen
> wouldn't have any creds until a user has typed them) or if I've managed to
> screw something up.
> From browsing my LDAP access logs it looks like only conventional binds
> are attempted regardless. On the mac side it did until recently still
> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
> couldn't be found int he LDAP log.  It feels like the Mac client is unable
> to work out how to present the krb credential due to a mapping issue or DNS
> discovery issue (both my IPA servers have RDNS entries).
>
> Other notable log entries on the Mac side are " failed to retrieve
> password for credential", and "failed to retrieve server schema". These
> both occur under the rootdse only ldap config.
>
> I'd like to be in a position where I can either have a very reduced access
> LDAP user enabled on all Mac clients, or that they can harness the host or
> user keytab in order to require no special LDAP credentials of their own.
>
> Most of all I suppose I want to know what should work, or be workable!
>
> Hope this makes sense, and thanks in advance,
>
> David
>
> p.s. I'm still not sure if I've managed to join this list, so subject to
> moderation, and I might require an explicit reply to in order to get
> responses!
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

2017-09-19 Thread David Harvey via FreeIPA-users 
Some edits and expansion on my previous attempt to post...

Free IPA 4.4.3
Mac OSX 10.12

Thanks for all the hard work on this, I've been enjoying an almost
functional setup for the last week but have been tearing my hair out with
making GSSAPI  behave.

What I have found so far using the config instructions - may be error prone
now as the number of combinations tried!

Anonymous bind enabled on freeipa: Works If you also specify a real user in
the Directory Utility auth
RootDSE only enabled on freeipa: Works If you also specify a real user
in the Directory Utility auth section (not a service account)
No anonymous binds: Will not play at all.


Now the thing that is really throwing me, is that GSSAPI ldapsearch works
just fine from the command line (using -Y GSSAPI) but  directory utility
seems unable to use these credentials.
I'm totally unsure if this is an OS limitation (as the login screen
wouldn't have any creds until a user has typed them) or if I've managed to
screw something up.
>From browsing my LDAP access logs it looks like only conventional binds are
attempted regardless. On the mac side it did until recently still mentions
GSSAPI attempts (when anonymous LDAP is disabled) although these couldn't
be found int he LDAP log.  It feels like the Mac client is unable to work
out how to present the krb credential due to a mapping issue or DNS
discovery issue (both my IPA servers have RDNS entries).

Other notable log entries on the Mac side are " failed to retrieve password
for credential", and "failed to retrieve server schema". These both occur
under the rootdse only ldap config.

I'd like to be in a position where I can either have a very reduced access
LDAP user enabled on all Mac clients, or that they can harness the host or
user keytab in order to require no special LDAP credentials of their own.

Most of all I suppose I want to know what should work, or be workable!

Hope this makes sense, and thanks in advance,

David

p.s. I'm still not sure if I've managed to join this list, so subject to
moderation, and I might require an explicit reply to in order to get
responses!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

2017-06-14 Thread Lee Wiscovitch via FreeIPA-users 
We run almost the exact same setup...Which is sufficient, but not as 
great as it could be (Basically the password changing issues you've 
noted). We've also noticed that a single bad login attempt gets counted 
multiple times on the IPA server, so you can get locked accounts quicker 
than expected.


There was a guy on the list that had what sounded like a very promising 
alternative to this that did some ldap db modifications but I tried so 
many times to do it and could never get it to work :( The link is:


https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html

There is some good information, but I could just never get it to 
work...Would love if someone would step-by-step that one a little more 
in detail.


Also, as an aside...If you changed your password via FreeIPA gui (Or 
from another linux machine) you can update the FileVault password by 
issuing a "sudo" command...I usually just do "sudo -l" and then you're 
good. Not sure why, but we found that out over the years.


Also we edit a few other pam files, screensaver (So when you unlock you 
get a new ticket) and passwd (I think so you can change from cmd, 
although not 100% sure that works)


cat > /etc/pam.d/screensaver << 'EOF'
auth   optional   pam_krb5.so use_first_pass use_kcminit 
default_principal

auth   sufficient pam_krb5.so use_first_pass default_principal
auth   required   pam_opendirectory.so use_first_pass nullok
accountrequired   pam_opendirectory.so
accountsufficient pam_self.so
accountrequired   pam_group.so no_warn group=admin,wheel fail_safe
accountrequired   pam_group.so no_warn deny group=admin,wheel 
ruser fail_safe

EOF

cat > /etc/pam.d/passwd << 'EOF'
password   sufficient pam_krb5.so
auth   required   pam_permit.so
accountrequired   pam_opendirectory.so
password   required   pam_opendirectory.so
sessionrequired   pam_permit.so
EOF


On 06/14/2017 12:02 PM, Jason Sherrill via FreeIPA-users wrote:

Hello All,

I have recently submitted a How/To 
 for 
FreeIPA. I'd very much appreciate any feedback or editing on it- I 
don't want to link to it without a review. Thanks!


--

*Jason Sherrill*
Deeplocal Inc. 
mobile: 412-636-2073 
office: 412-362-0201 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org