Hehe, just tried to do this and it works beautifully, thanks!
On Tue, Apr 30, 2019 at 8:37 PM Charles Hedrick <hedrick(a)rutgers.edu> wrote:
Kerberos works fine on OS X. as long as you don’t need Two Factor
authentication or HTTPS proxy. If you need those, install the kerberos5 and
ssh packages from MacPorts.
ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and
Firefox (SPNEGO) all support Kerberos.
I think “join the domain” would simply mean that login uses IPA. I assume
you can do that, though I haven’t tried. I do kinit manually. Once I have a
TGT from kinit, everything else works.
ssh:
Edit /etc/ssh/ssh_config. Add "GSSAPIAuthentication yes”
Firefox. Here’s what the IPA web client says:
Import CA certificate for your IPA realm. This assumes you’re not
using a commercial cert, which should use a CA that the system already
knows about
• Make sure you select all three checkboxes.
• In the address bar of Firefox, type about:config to display the list of
current configuration options.
• In the Filter field, type negotiate to restrict the list of options.
• Double-click the network.negotiate-auth.trusted-uris entry to display
the Enter string value dialog box.
• Enter the name of the domain against which you want to authenticate, for
example, .example.com.
Note that the instructions for Chrome from the IPA webclient don’t work
for MacOS. See
https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-... for
the magic “defaults write” commands.
On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
worked!
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a
domain, but I suppose we will soon- and I guess joining two domains would
be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos
tickets and get SSO for https/ssh?
While having a ticket seems to not be enough to get SSH/Firefox to work,
I'm wondering if it's viable to get it to work or if it's a waste of time
because it cannot work or has serious limitations. It's mostly for learning
purposes...
Cheers,
Álex
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...