Sorry for the spam, but I just discovered that it seems that even in a
standard installation there's a "Ticket Viewer.app" which allows you to
login graphically and even change your password.
On Fri, May 10, 2019 at 5:38 PM Alex Corcoles <alex(a)corcoles.net> wrote:
Hehe, just tried to do this and it works beautifully, thanks!
On Tue, Apr 30, 2019 at 8:37 PM Charles Hedrick <hedrick(a)rutgers.edu>
wrote:
> Kerberos works fine on OS X. as long as you don’t need Two Factor
> authentication or HTTPS proxy. If you need those, install the kerberos5 and
> ssh packages from MacPorts.
>
> ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and
> Firefox (SPNEGO) all support Kerberos.
>
> I think “join the domain” would simply mean that login uses IPA. I assume
> you can do that, though I haven’t tried. I do kinit manually. Once I have a
> TGT from kinit, everything else works.
>
> ssh:
> Edit /etc/ssh/ssh_config. Add "GSSAPIAuthentication yes”
>
> Firefox. Here’s what the IPA web client says:
> Import CA certificate for your IPA realm. This assumes you’re not
> using a commercial cert, which should use a CA that the system already
> knows about
> • Make sure you select all three checkboxes.
> • In the address bar of Firefox, type about:config to display the list
> of current configuration options.
> • In the Filter field, type negotiate to restrict the list of options.
> • Double-click the network.negotiate-auth.trusted-uris entry to display
> the Enter string value dialog box.
> • Enter the name of the domain against which you want to authenticate,
> for example, .example.com.
>
> Note that the instructions for Chrome from the IPA webclient don’t work
> for MacOS. See
>
https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-... for
> the magic “defaults write” commands.
>
>
>
> On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
> So I now have an OS X work laptop and did a kinit user@MYDOMAIN and...
> it worked!
>
> I've seen some guides about joining an OS X system to FreeIPA, but I
> don't think I want that (we are not currently joining work OS X systems to
> a domain, but I suppose we will soon- and I guess joining two domains would
> be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos
> tickets and get SSO for https/ssh?
>
> While having a ticket seems to not be enough to get SSH/Firefox to work,
> I'm wondering if it's viable to get it to work or if it's a waste of
time
> because it cannot work or has serious limitations. It's mostly for learning
> purposes...
>
> Cheers,
>
> Álex
> --
> ___
> {~._.~}
> ( Y )
> ()~*~() mail: alex at corcoles dot net
> (_)-(_)
http://alex.corcoles.net/
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/