[Freeipa-users] Apple OpenDirectory Integration

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 4 16:57:52 UTC 2016 

On Thu, 04 Feb 2016, "Răzvan Corneliu C.R. VILT" wrote:
>
>>> It's static data. It's a concatenation of multiple strings: a
>>> hard-coded one, the uid and the realm. It only changes if you rename
>>> the user account. It is used to route the authn phase to the Kerberos
>>> account (no PAM configuration!!!).
>> I wonder if we should use CoS plugin to get this data added to user
>> entries instead of storing it in every single user's LDAP entry -- the
>> only thing that is different is uid but the rest is the same, right?
>
>Right. At least for single realms with no trust domains. If you have an
>identity from another realm, you need to use the KRB5 principal from
>that realm. So instead of mapping to the UID, we should map to the
>krbPrincipal.
Yep.

I've moved the ticket 4813 to needs triage basket and referenced this
thread.

>
>The format for altSecurityIdentities is:
>=======================================
>"Kerberos:" + $krbPrincipal
>Or for certificate logon:
>"X509:" + "<T>CN=" + $issuerRDN + "<S>CN=" + $subject. Such as:
>"X509:<T>CN=Apple Root CA,OU=Apple Certification Authority,O=Apple Inc.,C=US<S>CN=com.apple.idms.appleid.prd.deadbeefdeadbeefdeadbeefdeadbeef"
>
>It's identical to the altSecurityIdentities from MSDN and was adopted by Apple from Microsoft. See https://msdn.microsoft.com/en-us/library/cc220106.aspx
>In theory it can also be used for SC Certificate logons (see above example). It is also used by iCloud for certificate logons.
>
>
>The format for authAuthority is:
>=============================================
>Kerberos
>--------
>Minimal Kerberos:
>";Kerberosv5;;" + $krbPrincipal + ";" + $realm + ";"
>
>Fully compliant Kerberos:
>";Kerberosv5;" + "0x"$GUID_HEX + ";" + $krbPrincipal + ";" + $realm + ";" + "Realm Public Key"
>Documented on: https://developer.apple.com/library/mac/documentation/Networking/Conceptual/Open_Directory/openDirectoryConcepts/openDirectoryConcepts.html#//apple_ref/doc/uid/TP40000917-CH3-68599
>
>Basic Authentication
>--------------------
>Of no interest, just crypt(). Documented on:
>https://developer.apple.com/library/mac/documentation/Networking/Conceptual/Open_Directory/openDirectoryConcepts/openDirectoryConcepts.html#//apple_ref/doc/uid/TP40000917-CH3-68270
>
>Apple Password Server Authentication:
>-------------------------------------
>;ApplePasswordServer;0xfc00000000001e291a400254ba69508,1024 65537 100000735360000022652669667510124737971525265977003458292838259662475941942339637701783031842665637489899899968013535474647377427038990743911664412758698759306606987798849786426049586039725915353359580583450027978985802381494661566820916379229460639580871881869418576860074704243214464804408968770344748232621 root at ipa.example.com:172.23.36.138
>Documented on: https://developer.apple.com/library/mac/documentation/Networking/Conceptual/Open_Directory/openDirectoryConcepts/openDirectoryConcepts.html#//apple_ref/doc/uid/TP40000917-CH3-68312
>Partly implemented in https://code.google.com/archive/p/lpws but without an IPA Bridge.
>
>Shadow Hash Authentication (used by local accounts):
>----------------------------------------------------
>;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2,SRP-RFC5054-4096-SHA512-PBKDF2>
>Documented on:
>https://developer.apple.com/library/mac/documentation/Networking/Conceptual/Open_Directory/openDirectoryConcepts/openDirectoryConcepts.html#//apple_ref/doc/uid/TP40000917-CH3-68474
>
>Local Cached User Authentication (used by road-warrior scenarios on the local systems):
>---------------------------------------------------------------------------------------
>Documented on:
>https://developer.apple.com/library/mac/documentation/Networking/Conceptual/Open_Directory/openDirectoryConcepts/openDirectoryConcepts.html#//apple_ref/doc/uid/TP40000917-CH3-68528
>
>Netlogon Authentication (used by Active Directory)
>--------------------------------------------------
>;Netlogon;razvan.vilt;MYDOMAIN
>
>iCloud Authentication (obvious)
>-------------------------------
>;AppleID;razvan.vilt at me.com
>
>Disabled Authentication (this needs attention)
>----------------------------------------------
>Basically put ";DisabledUser;;" in front of the previous authentication method.
>
>
>>> OK. So on Linux you do an automount map for the file server with the
>>> homes and state that the user home directory is in /home/$userName
>>>
>>> On Windows, you give the home folder as \\server\share\folder, but
>>> assume that the protocol is SMB/CIFS.
>>>
>>> On Mac OS X, you give the protocol, the server and the share\folder.
>>> You could use automount, but I've never seen any OS X admin do that.
>>> Mainly because you loose the roaming ability (they call it file
>>> synchronization). Mac OS X can use roaming profiles just like Windows.
>>> They don't have to be mounted except at logon time which is important
>>> for road-warriors. Since most Macs are laptops, the road-warrior
>>> scenario is assumed. Otherwise, you just get local homes.
>> If you don't provide any share details, what happens? Will Mac OS X
>> would fill-in the defaults based on the user name?
>
>It would create a local profile in /Users/$userName. Which in reality
>is what most Mac admins do anyway. Roaming profiles are not used very
>much.
>
>If you bind to Active Directory on a Mac, you get the following Attributes:
>NFSHomeDirectory: "/Users/razvan.vilt"
>OriginalHomeDirectory: "<home_dir><url>smb://myFileServer/usersShare/razvan.vilt</url><path>/</path></home_dir>"
>The attributes are made by the Active Directory plugin automatically from "\\myFileServer\usersShare\razvan.vilt".
>
>>
>>>> I'd open one or more RFE tickets on https://fedorahosted.org/freeipa/newticket
>>>
>>> One was already opened (https://fedorahosted.org/freeipa/ticket/4813)
>>> and I'm in CC. Since nothing happened for 1 year after my offer to
>>> document it, I've decided to start this thread.
>> It mostly boils down to IPA developers not really having access to Mac
>> OS X devices. And load of other tickets to solve, of course.
>
>I can provide VMs and/or access to VMs. FreeIPA is Python, 389 DS and
>389 plugins. It's overkill for me to go under the hood.
What VMs? Mac OS X?


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list