Kerberos works fine on OS X. as long as you don’t need Two Factor
authentication or HTTPS proxy. If you need those, install the kerberos5 and ssh
packages from MacPorts.
ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and Firefox
(SPNEGO) all support Kerberos.
I think “join the domain” would simply mean that login uses IPA. I assume you
can do that, though I haven’t tried. I do kinit manually. Once I have a TGT
from kinit, everything else works.
ssh:
Edit /etc/ssh/ssh_config. Add "GSSAPIAuthentication yes”
Firefox. Here’s what the IPA web client says:
Import CA certificate for your IPA realm. This assumes you’re not using
a commercial cert, which should use a CA that the system already knows about
• Make sure you select all three checkboxes.
• In the address bar of Firefox, type about:config to display the list of
current configuration options.
• In the Filter field, type negotiate to restrict the list of options.
• Double-click the network.negotiate-auth.trusted-uris entry to display the
Enter string value dialog box.
• Enter the name of the domain against which you want to authenticate, for
example, .example.com<http://example.com>.
Note that the instructions for Chrome from the IPA webclient don’t work for
MacOS. See
https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os
for the magic “defaults write” commands.
On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
worked!
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a domain,
but I suppose we will soon- and I guess joining two domains would be hairy),
but I'm wondering if it's not crazy to kinit, get my Kerberos tickets and get
SSO for https/ssh?
While having a ticket seems to not be enough to get SSH/Firefox to work, I'm
wondering if it's viable to get it to work or if it's a waste of time because
it cannot work or has serious limitations. It's mostly for learning purposes...
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
