11:02 a.m.
Hello All,
I have recently submitted a How/To
<https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10...
for
FreeIPA. I'd very much appreciate any feedback or editing on it- I don't
want to link to it without a review. Thanks!
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
12:44 p.m.
We run almost the exact same setup...Which is sufficient, but not as
great as it could be (Basically the password changing issues you've
noted). We've also noticed that a single bad login attempt gets counted
multiple times on the IPA server, so you can get locked accounts quicker
than expected.
There was a guy on the list that had what sounded like a very promising
alternative to this that did some ldap db modifications but I tried so
many times to do it and could never get it to work :( The link is:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html
There is some good information, but I could just never get it to
work...Would love if someone would step-by-step that one a little more
in detail.
Also, as an aside...If you changed your password via FreeIPA gui (Or
from another linux machine) you can update the FileVault password by
issuing a "sudo" command...I usually just do "sudo -l" and then
you're
good. Not sure why, but we found that out over the years.
Also we edit a few other pam files, screensaver (So when you unlock you
get a new ticket) and passwd (I think so you can change from cmd,
although not 100% sure that works)
cat > /etc/pam.d/screensaver << 'EOF'
auth optional pam_krb5.so use_first_pass use_kcminit
default_principal
auth sufficient pam_krb5.so use_first_pass default_principal
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel
ruser fail_safe
EOF
cat > /etc/pam.d/passwd << 'EOF'
password sufficient pam_krb5.so
auth required pam_permit.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_permit.so
EOF
On 06/14/2017 12:02 PM, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To
<https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10... for
FreeIPA. I'd very much appreciate any feedback or editing on it- I
don't want to link to it without a review. Thanks!
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
5:03 a.m.
Hi,
On 14/06/2017 18:02, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To
<https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10... for
FreeIPA. I'd very much appreciate any feedback or editing on it- I
don't want to link to it without a review. Thanks!
I used /etc/krb5.conf instead of /Library/Preferences/edu.mit.Kerberos
which also seemed to work,
but I noticed the MacOS client doesn't fall back to tcp, so if udp is
blocked in your network you need to specify
[realms]
EXAMPLE.COM = {
kdc = tcp/ipa-server.example.com
admin_server = tcp/ipa-server.example.com
}
to get kinit and changing of an expired password to work (using kinit,
haven't configured my accounts as system accounts yet)
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
Regards,
Jens Timmerman
1:44 p.m.
Thank you Lee and Jens!
I've been testing your suggestions and I'll start deploying the changes
next week.
On Thu, Jun 15, 2017 at 6:03 AM, Jens Timmerman via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
On 14/06/2017 18:02, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To
<https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10... for
FreeIPA. I'd very much appreciate any feedback or editing on it- I don't
want to link to it without a review. Thanks!
I used /etc/krb5.conf instead of /Library/Preferences/edu.mit.Kerberos
which also seemed to work,
but I noticed the MacOS client doesn't fall back to tcp, so if udp is
blocked in your network you need to specify
[realms]
EXAMPLE.COM = {
kdc = tcp/ipa-server.example.com
admin_server = tcp/ipa-server.example.com
}
to get kinit and changing of an expired password to work (using kinit,
haven't configured my accounts as system accounts yet)
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <%28412%29%20636-2073>
office: 412-362-0201 <%28412%29%20362-0201>
Regards,
Jens Timmerman
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
2504
days inactive
2505
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Jason Sherrill -
Jens Timmerman -
Lee Wiscovitch