I wrote some instructions that I tested on Lion, I just haven't posted them
anywhere yet.
On IPA Server:
ipa host-add --force client1.example.com
ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k
/tmp/client1.keytab
copy the keytab to /etc/krb5.keytab on the client. Ensure permissions are 600.
use
sudo ktutil -k /etc/krb5.keytab list
to check the keytab
client1.example.com $ sudo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal Aliases
1 aes256-cts-hmac-sha1-96 host/client1.example@example.com
1 aes128-cts-hmac-sha1-96 host/client1.example@example.com
1 des3-cbc-sha1host/client1.example@example.com
1 arcfour-hmac-md5 host/client1.example@example.com
/etc/krb5.conf
for Mac OS X 10.7 Lion (Tested on 10.7.3)
#Version 1.0
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
## End /etc/krb5.conf
In /etc/ssh_config
for Mac OS X 10.7 Lion (Tested on 10.7.3)
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
GSSAPIKeyExchange yes
GSSAPITrustDNS no
End /etc/ssh_config
In /etc/ssh/ssh_config
RHEL 6.2 w/ ipa-server 2.1.3-9
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
end /etc/ssh/ssh_config
Kerberos was swapped out from snow leopard to lion. Lion uses Heimdahl instead
of Kerberos.
If you need a realms section because you are setting DNS lookups to false in
krb5.conf, you have to do it like this:
[realms]
EXAMPLE.COM = {
admin_server = tcp/ipa0.example.com:749
default_domain = salab.redhat.com
kdc = tcp/ipa0.example.com:88
}
If you don't do tcp/ heimdahl uses UDP by default.
Good Luck..
Brian
--
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 14, 2012, at 11:57 PM, Hagenrud Håkan wrote:
Hello
I just joined this list so please excuse if this question has been asked
Is anyone out there binding mac clients (10.7.x) to IPA?
I have tried it with some success. The mac-client can join the IPA domain and
the Kerberos domain but no user from the domain can log in to the
mac-computer. My guess is that I need to map the LDAP values from IPA with
what the mac-client expects.
Anyone?
Thanks
Håkan Hagenrud
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users