[Freeipa-users] Kerberos and 2fa with mac OS X client
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 15 16:20:50 UTC 2016
On to, 15 joulu 2016, Sumit Bose wrote:
>On Thu, Dec 15, 2016 at 03:38:14PM +0000, Mark Steele wrote:
>> Hi,
>>
>> Has anyone managed to make this work and if so, is there some documentation for doing so?
>>
>> I can successfully authenticate to my linux servers using 2FA, but am
>> unable to get my Mac to be able to get a ticket with kinit.
>>
>> Kinit returns: “password incorrect”, and isn’t prompting for the
>> second factor. I’ve also tried appending the second factor to the
>> password (like when logging into the UI).
>>
>> Any help would be appreciated.
>
>For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
>For MacOS I found
>https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
>and according to this the MacOS kinit does not support FAST, i.e. using
>an armor credential cache. But maybe there are newer or alternative
>versions which supports it?
Starting with Mac OS X 10.8, Heimdal does support FAST.
kinit --fast-armor-cache /path/to/ccache
In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list