[Freeipa-users] OS X Yosemite unable to authenticate
Cal Sawyer
cal-s at blue-bolt.com
Tue Jun 21 16:11:55 UTC 2016
<hits brakes, swerves> ... "have to add the user as an administrator on
the local machine"? That's pretty intriguing, but not great
security-wise, unfortunately. Not a big deal at the moment, though
ok, just made my user account an admin but it's still dragging on login.
My IPA setup is the same: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
Any chance i could get a denatured plist from you offline, Joe?
cheers
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com
On 21/06/16 16:07, Joe DiTommasso wrote:
> No fiddling that I remember. Basically got the setup working once and
> then have been pushing out plist files to all new installs. Graphical
> login works, as does sudo, sort of-still have to add the user as an
> administrator on the local machine, but then their kerberos password
> works for authentication. Running up-to-date-ish IPA 4 on CentOS 7.
>
> jdito at sum-freeipa-01:~$ rpm -qa | grep ipa
>
> *ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> python-in*ipa*rse-0.4-9.el7.noarch
>
> *ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> sssd-*ipa*-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
> Let me know what you'd like to see from my config. Thanks for the tip
> on the secondary groups-I already had that in there, but looking at it
> realized that I needed to point at the compat tree, because the
> regular one doesn't expose memberUID.
>
>
> On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer <cal-s at blue-bolt.com
> <mailto:cal-s at blue-bolt.com>> wrote:
>
> Wow, that's surprising, Joe. I'm also using the linsec recipe.
> Yours required no fiddling? You can login straight off from the
> graphical loginWindow?
>
> Yes, very interested in any help you can offer. Are you
> authenticating against IPA 3 or 4, for sake of curiosity.
>
> BTW: you can get your secondary groups by:
>
> In Groups add attribute 'GroupMembership' mapped to 'memberUID'
>
> thanks!
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street
> | London W1W 8RW +44 (0)20 7637 5575
> <tel:%2B44%20%280%2920%207637%205575> |www.blue-bolt.com <http://www.blue-bolt.com>
>
> On 21/06/16 15:07, Joe DiTommasso wrote:
>> I've actually got a whole stack of El Capitan clients
>> authenticating against FreeIPA:
>>
>> mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
>> Software:
>>
>> System Software Overview:
>>
>> System Version: OS X 10.11.5 (15F34)
>> Kernel Version: Darwin 15.5.0
>> Boot Volume: Macintosh HD
>> Boot Mode: Normal
>> Computer Name: admin’s Mac mini
>> User Name: Joe DiTommasso (jdito)
>> Secure Virtual Memory: Enabled
>> System Integrity Protection: Enabled
>> Time since boot: 14 days 15:00
>>
>> The Linsec guide worked for me. The only real issue is that it
>> only sees the user's primary group, and not supplemental groups.
>> I'm not terribly good with Macs, but happy to assist in
>> troubleshooting.
>>
>> Joe
>>
>> On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer <cal-s at blue-bolt.com
>> <mailto:cal-s at blue-bolt.com>> wrote:
>>
>> As usual, apologies for any formatting issues due to
>> extracting message threads out of digests ...
>>
>> Anyhow., i have determined where everything goes terribly
>> wrong with OSX clients: OSX 10.10.3 ("out of the box"
>> Yosemite) works fine using linsec.ca <http://linsec.ca>'s
>> guidance. However, the second you patch to 10.10.5 or
>> upgrade to El Capitan (10.11.5), authentication fails
>> absolutely in the ways described in earlier threads.
>> Colleagues who i've spoken with who are trying to set up IPA
>> at their facilities report the same problem and it's a total
>> show-stopper. Interesting how all(?) of what is written on
>> the topic of OSX and IPA dries up after 10.8, although we've
>> seen in an earlier thread reports of 10.9 working. I've
>> repeated this test a few times and the result is always the
>> same. - 10.10.3 is the last OSX capable of authenticating
>> against IPA using currently available knowledge.
>>
>> Running tcpdump on 10.10.3 and a 10.10.5 clients show very
>> different authentication dialogues. I'm afraid, however,
>> that i lack the skills to interpret where exactly the later
>> OSX release is failing. I have my (unfounded) suspicions -
>> that SASL binding for LDAP and kerberos are implicated.
>> 10.10.3 certainly shows no kerberos transactions whereas 10.10.5
>>
>> Re DNS: both client types resolve all SRV records hosted in
>> IPA fine. I even went so far as setting up rudimentary ipv6
>> as there were some AAAA requests that were going unanswered
>> and it thought it might related (not, as it turns out)
>>
>> So, would anyone on the IPA team be interested in looking at
>> some packet captures? I'm completely up for working with
>> you, providing whatever is needed and doing testing. It
>> would be fantastic to restore IPA-based auth for newer OSX
>> releases.
>>
>> best regards,
>>
>> - cal sawyer
>>
>> From: John Obaterspok<john.obaterspok at gmail.com>
>> <mailto:john.obaterspok at gmail.com>
>> To: Nicola Canepa<canepa.n at mmfg.it> <mailto:canepa.n at mmfg.it>
>> Cc:"freeipa-users at redhat.com" <mailto:freeipa-users at redhat.com> <freeipa-users at redhat.com> <mailto:freeipa-users at redhat.com>, Cal Sawyer
>> <cal-s at blue-bolt.com> <mailto:cal-s at blue-bolt.com>
>>
>> Hi, Are you only having problems to login to login to
>> OSX with the IPA user now? If that is the case then
>> check the DNS settings you are using and make sure
>> the IPA server is listed first and that it has full
>> name. Exactly the same problem occurred for me with
>> the slow logins to OSX which was due to the DNS
>> settings and that OSX only used short name of IPA
>> server during login (if I logged in as local user I
>> could ping and lookup hosts using short name) -- john
>> 2015-12-21 17:49 GMT+01:00 Nicola Canepa
>> <canepa.n at mmfg.it> <mailto:canepa.n at mmfg.it>:
>>>> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
>>>> did a "dscacheutil -flushcache", both as the logged in user and as root.
>>>> I tried enabling the anonymous bind and now also the directory browser
>>>> (and all the login process) works as expected.
>>>>
>>>> Nicola
>>>>
>>>> Il 21/12/15 17:39, Cal Sawyer ha scritto:
>>>>
>>>> Thanks, John and Nicola
>>>>
>>>> Kerberos occurred to me as well late in the day yesterday. Happily (?),
>>>> knit works fine simply specifying the user in question with no need to
>>>> suffix with the kerberos realm
>>>>
>>>> I did find that my test user had an expired password, which i fixed on the
>>>> IPA server. This was never flagged up under Linux, btw. It has not change
>>>> anything, however, other than not prompting for password changes that never
>>>> take effect. Funnily, it expired in the midst of testing - fun.
>>>>
>>>> I was mistaken when i said i was unable to log in - it turns out that it
>>>> takes almost 10 minutes for a login from the frintend to complete - i just
>>>> didn't wait long enough. 10 mins is of course unacceptable :) "su - user"
>>>> and "login user" fail outright after rejecting accept any user's password
>>>>
>>>> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
>>>>
>>>> In line with Nicola's experience, i can browse groups and users in the
>>>> Directory Editor and all attributes appear spot on.
>>>>
>>>> Besides modding /etc/pam.d/authorization, adding a corrected
>>>> edu.mit.kerberos to /LibraryPreferences and setting up the directory per
>>>> linsec.ca <http://linsec.ca>, can anyone think of something i may have missed? It's a real
>>>> shame that the documentation on this stops around 5 years ago.
>>>>
>>>> IPA devs: is there anything i should be on the lookout for in the dirsrv
>>>> or krb5 logs on the IPA master? I've disabled the secondary to prevent
>>>> replication from clouding the log events
>>>>
>>>> thanks, everyone
>>>>
>>>> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>>>> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575
>>>> <tel:%2B44%20%280%2920%207637%205575> |www.blue-bolt.com <http://www.blue-bolt.com>
>>>>
>>>> On 21/12/15 07:57, Nicola Canepa wrote:
>>>>
>>>> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
>>>> opposite problem: kinit works fine, while I'm unable to see users with
>>>> Directory Admin ((it always says it cant' connect, either with or without
>>>> SSL)
>>>> I disabled anonymous searches in 389-ds, by the way.
>>>>
>>>> Nicola
>>>>
>>>> Il 21/12/15 07:50, John Obaterspok ha scritto:
>>>>
>>>> Hi Cal,
>>>>
>>>> Does a kinit work from a terminal? Does it work if you use "kinit user" or
>>>> just if you use "kinit<user at REALM.suffix>
>>>> <mailto:user at REALM.suffix>user at REALM.suffix
>>>> <mailto:user at REALM.suffix>"
>>>>
>>>> -- john
>>>>
>>>>
>>>> 2015-12-20 15:09 GMT+01:00 Cal Sawyer<cal-s at blue-bolt.com> <mailto:cal-s at blue-bolt.com>:
>>>>
>>>>> Hi, all
>>>>>
>>>>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
>>>>> 10.10.5 (Yosemite) client
>>>>>
>>>>> Using the excellent instructions at
>>>>> <http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server>
>>>>> <http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server>
>>>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
>>>>> I've populated the specified files, d/l'd the cert, am able to configure
>>>>> Users and Groups objects/attribs and browse both from within OSX's
>>>>> Directory Utility. ldapsearch similarly returns the expected results.
>>>>>
>>>>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
>>>>> system
>>>>>
>>>>> dirsrv log on the ipa master shows no apparent errors - remote auth
>>>>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
>>>>> truth, there so much stuff there and being rather inexperienced with LDAP
>>>>> diags i might easily be missing something in the details
>>>>>
>>>>> Thelinsec.ca <http://linsec.ca> instructions were written in the 10.7-10.8 era so
>>>>> something may have changed since. Having said that, we've had no problems
>>>>> authenticating against our existing OpenLDAP server (which IPA is slated to
>>>>> replace) right up to 10.10.5 with no zero to our Directory Utility setup.
>>>>>
>>>>> Hoping someone here has some contemporary experience with OSX and IPA and
>>>>> for whom this issue rings a bell?
>>>>>
>>>>> many thanks
>>>>>
>>>>> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>>>>> 15-16 Margaret Street | London W1W 8RW
>>>>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> |www.blue-bolt.com <http://www.blue-bolt.com>
>>>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160621/5b1f7280/attachment.htm>
More information about the Freeipa-users
mailing list