[Freeipa-users] Kerberos and 2fa with mac OS X client

Alexander Bokovoy abokovoy at redhat.com
Thu Dec 15 16:20:50 UTC 2016

On to, 15 joulu 2016, Sumit Bose wrote:
>On Thu, Dec 15, 2016 at 03:38:14PM +0000, Mark Steele wrote:
>> Hi,
>> Has anyone managed to make this work and if so, is there some documentation for doing so?
>> I can successfully authenticate to my linux servers using 2FA, but am
>> unable to get my Mac to be able to get a ticket with kinit.
>> Kinit returns: “password incorrect”, and isn’t prompting for the
>> second factor. I’ve also tried appending the second factor to the
>> password (like when logging into the UI).
>> Any help would be appreciated.
>For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
>For MacOS I found
>and according to this the MacOS kinit does not support FAST, i.e. using
>an armor credential cache. But maybe there are newer or alternative
>versions which supports it?
Starting with Mac OS X 10.8, Heimdal does support FAST.

kinit --fast-armor-cache /path/to/ccache

In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.

/ Alexander Bokovoy

More information about the Freeipa-users mailing list