Note.
The GSSAPI attempts from the MAc side are only attempted when a binddn
(security -> "use authentication when connecting") account is provided.
Otherwise I suspect it's unable to even work out what type of GSSAPI
transaction to attempt..
On 19 September 2017 at 15:19, David Harvey <davidcharvey(a)googlemail.com>
wrote:
Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3
Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost
functional setup for the last week but have been tearing my hair out with
making GSSAPI behave.
What I have found so far using the config instructions - may be error
prone now as the number of combinations tried!
Anonymous bind enabled on freeipa: Works If you also specify a real user
in the Directory Utility auth
RootDSE only enabled on freeipa : Works If you also specify a real user
in the Directory Utility auth section (not a service account)
No anonymous binds : Will not play at all.
Now the thing that is really throwing me, is that GSSAPI ldapsearch works
just fine from the command line (using -Y GSSAPI) but directory utility
seems unable to use these credentials.
I'm totally unsure if this is an OS limitation (as the login screen
wouldn't have any creds until a user has typed them) or if I've managed to
screw something up.
From browsing my LDAP access logs it looks like only conventional binds
are attempted regardless. On the mac side it did until recently still
mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
couldn't be found int he LDAP log. It feels like the Mac client is unable
to work out how to present the krb credential due to a mapping issue or DNS
discovery issue (both my IPA servers have RDNS entries).
Other notable log entries on the Mac side are " failed to retrieve
password for credential", and "failed to retrieve server schema". These
both occur under the rootdse only ldap config.
I'd like to be in a position where I can either have a very reduced access
LDAP user enabled on all Mac clients, or that they can harness the host or
user keytab in order to require no special LDAP credentials of their own.
Most of all I suppose I want to know what should work, or be workable!
Hope this makes sense, and thanks in advance,
David
p.s. I'm still not sure if I've managed to join this list, so subject to
moderation, and I might require an explicit reply to in order to get
responses!