Robert Kudyba via FreeIPA-users wrote:
On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
> It depends on what the expectations are for these user-owned
machines.
>
>
> Only expectation is to be able to log in to a server, get access to
> their home directory and be able to do their assignments, e.g., C++,
> Java or Python programming.
>
>
> If you don't need IPA identities and IPA users won't log into
them, then
> they only need a working krb5.conf and DNS configured on them.
>
>
> So each device needs to drop in the krb5.conf file from the FreeIPA
> server? How does this work on a Windows client?
From the server? I wouldn't. It is likely going to need some hand-tuning
depending on your configuration. For example the server is going to have
a hardcoded KDC in it. You may or may not want that.
So we have to customized the /etc/krb5.conf file that exists on the
server for any student devices.
I mean, you don't want to use ipa-client-install which would do all of
this for you, and I understand the reasons, but it does mean some
additional work on your part.
I don't know your network so at most I can make general suggestions, not
provide you a full configuration.
In retrospect the default krb5.conf that ships on Fedora provides for
includes. I think this is probably your best bet: provide an IPA
configuration that resides there and it should co-exist pretty easily
with any other configuration.
I'm not completely sure about the order of loading and which
configuration "wins" when there is conflict. The man page is the place
to look.
And kcm_default_ccache has instructions on how to enable/run sssd-kcm so
that this should work out-of-the-box. That is probably better than
having students comment it out, unless you can control the order of what
"wins" when there is conflicting configuration.
>
> So your students would log into their own controlled machine
using their
> own local account, kinit student123(a)univ.edu
<mailto:student123@univ.edu>
> <mailto:student123@univ.edu <mailto:student123@univ.edu>> and
ssh using their
> credentials.
>
> The krb5.conf will tell the student machine how to contact the
KDC.
> That's all that is necessary (beyond working DNS).
>
>
> I just tried this on another Fedora 33 workstation, dropped in the
> /etc/krb5.conf file and all I get is:
> kinit: No KCM server found while getting default ccache
You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to
change the default ccache type, or comment out the includes in krb5.conf
(probably easier).
OK now I can get any Fedora client to kinit and then ssh.
See about for perhaps a less hacky approach than I originally suggested.
> I'm puzzled as to what we'd need to tell/provide to a student, who is
> enrolled remotely and can't come on campus, to be able to connect
to our
> server via their Windows or Mac laptop.
I don't know about Windows. I used the Windows MIT Kerberos packages a
decade or more ago and they worked fine with PuTTY (and IPA with
discovery) but whether that applies now or not I have no idea.
Mac I think should work similar to Linux: provide a krb5.conf and things
should just work. Again, you'll likely have to tweak the configuration
depending on what version of MIT Mac ships these days.
kinit --version
kinit (Heimdal 1.5.1apple1)
So my first test with the server krb5.conf file copied into /etc:
kinit: krb5_get_init_creds: unable to reach any KDC in realm
OURDOMAIN.EDU <
http://OURDOMAIN.EDU>, tried 0 KDCs
So the first suggestion <
https://apple.stackexchange.com/a/273064> I
found was to preface kdc = tcp
Then I made sure the firewall on the Mac was disabled. I also added the
test IPA server & IP into /etc/hosts. I can ping it successfully.
What else needs to change?
It's difficult to troubleshoot in a void. I don't know your network
configuration nor what krb5.conf you're using. It sure looks like
discovery of the KDC over DNS failed.
rob