Sorry for the spam, but I just discovered that it seems that even in a standard installation there's a "Ticket Viewer.app" which allows you to login graphically and even change your password.

On Fri, May 10, 2019 at 5:38 PM Alex Corcoles <alex@corcoles.net> wrote:
Hehe, just tried to do this and it works beautifully, thanks!

On Tue, Apr 30, 2019 at 8:37 PM Charles Hedrick <hedrick@rutgers.edu> wrote:
Kerberos works fine on OS X. as long as you don’t need Two Factor authentication or HTTPS proxy. If you need those, install the kerberos5 and ssh packages from MacPorts.

ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and Firefox (SPNEGO) all support Kerberos.

I think “join the domain” would simply mean that login uses IPA. I assume you can do that, though I haven’t tried. I do kinit manually. Once I have a TGT from kinit, everything else works.

ssh:
Edit /etc/ssh/ssh_config. Add  "GSSAPIAuthentication yes”

Firefox. Here’s what the IPA web client says:
        Import CA certificate for your IPA realm. This assumes you’re not using a commercial cert, which should use a CA that the system already knows about
• Make sure you select all three checkboxes.
• In the address bar of Firefox, type about:config to display the list of current configuration options.
• In the Filter field, type negotiate to restrict the list of options.
• Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
• Enter the name of the domain against which you want to authenticate, for example, .example.com.

Note that the instructions for Chrome from the IPA webclient don’t work for MacOS. See https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os for the magic “defaults write” commands.



On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it worked!

I've seen some guides about joining an OS X system to FreeIPA, but I don't think I want that (we are not currently joining work OS X systems to a domain, but I suppose we will soon- and I guess joining two domains would be hairy), but I'm wondering if it's not crazy to kinit, get my Kerberos tickets and get SSO for https/ssh?

While having a ticket seems to not be enough to get SSH/Firefox to work, I'm wondering if it's viable to get it to work or if it's a waste of time because it cannot work or has serious limitations. It's mostly for learning purposes...

Cheers,

Álex
--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net



--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net