[Freeipa-users] Bind current mac clients?

2012-03-15 Thread Hagenrud Håkan 
Hello

I just joined this list so please excuse if this question has been asked

Is anyone out there binding mac clients (10.7.x) to IPA?

I have tried it with some success. The mac-client can join the IPA domain and 
the Kerberos domain but no user from the domain can log in to the mac-computer. 
My guess is that I need to map the LDAP values from IPA with what the 
mac-client expects.

Anyone?

Thanks

Håkan Hagenrud

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Bind current mac clients?

2012-03-15 Thread Brian Cook 
I wrote some instructions that I tested on Lion, I just haven't posted them 
anywhere yet.  

On IPA Server:

ipa host-add --force  client1.example.com
ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k 
/tmp/client1.keytab

copy the keytab to /etc/krb5.keytab on the client.  Ensure permissions are 600.

use 
sudo ktutil -k /etc/krb5.keytab list

to check the keytab



client1.example.com $ sudo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type Principal  Aliases
  1  aes256-cts-hmac-sha1-96  host/client1.example@example.com  
  1  aes128-cts-hmac-sha1-96  host/client1.example@example.com  
  1  des3-cbc-sha1host/client1.example@example.com  
  1  arcfour-hmac-md5 host/client1.example@example.com  



  /etc/krb5.conf
  for Mac OS X 10.7 Lion (Tested on 10.7.3)

#Version 1.0
[logging]
  admin_server = FILE:/var/log/krb5kdc/kadmin.log
  kdc = FILE:/var/log/krb5kdc/kdc.log

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
  

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
 

## End /etc/krb5.conf

  In /etc/ssh_config
  for Mac OS X 10.7 Lion (Tested on 10.7.3)

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials no
  GSSAPIKeyExchange yes
  GSSAPITrustDNS no

  End /etc/ssh_config

 In /etc/ssh/ssh_config
 RHEL 6.2 w/ ipa-server 2.1.3-9

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

 end  /etc/ssh/ssh_config




Kerberos was swapped out from snow leopard to lion.  Lion uses Heimdahl instead 
of Kerberos.
 
If you need a realms section because you are setting DNS lookups to false in 
krb5.conf, you have to do it like this:

[realms]
EXAMPLE.COM = {
admin_server = tcp/ipa0.example.com:749
default_domain = salab.redhat.com
kdc = tcp/ipa0.example.com:88
}

If you don't do tcp/ heimdahl uses UDP by default.


Good Luck.. 
Brian


--
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079




On Mar 14, 2012, at 11:57 PM, Hagenrud Håkan wrote:

 Hello
 
 I just joined this list so please excuse if this question has been asked
 
 Is anyone out there binding mac clients (10.7.x) to IPA?
 
 I have tried it with some success. The mac-client can join the IPA domain and 
 the Kerberos domain but no user from the domain can log in to the 
 mac-computer. My guess is that I need to map the LDAP values from IPA with 
 what the mac-client expects.
 
 Anyone?
 
 Thanks
 
 Håkan Hagenrud
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users