<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/23/2014 05:58 PM, Fredy Sanchez
wrote:<br>
</div>
<blockquote
cite="mid:CAAqiBN77fOjA0f=R=2UaVYYeXxnE+OVo+zXpmpbWnBqRuDEE8A@mail.gmail.com"
type="cite">
<div dir="ltr">And here is the attachment.</div>
<div class="gmail_extra"><br>
</div>
</blockquote>
<br>
Thank you for the contribution!<br>
We will review and ask questions if there are any.<br>
We also welcome any other comments and reviews before we publish it
as a solution on the wiki.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAAqiBN77fOjA0f=R=2UaVYYeXxnE+OVo+zXpmpbWnBqRuDEE8A@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Apr 23, 2014 at 5:57 PM, Fredy
Sanchez <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com" target="_blank">fredy.sanchez@modmed.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>Sorry for the delay.</div>
<div><br>
</div>
<div>I am sharing with you a couple of scripts and files
we use to enroll our Macs (ML and Mavericks) into our
FreeIPA domain. Using Luggage (<a moz-do-not-send="true"
href="https://github.com/unixorn/luggage"
target="_blank">https://github.com/unixorn/luggage</a>),
we package all of these into a one click installer that
can be deployed via ARD, Munki, etc. Now, our
environment has very specific requirements, so feel free
to ask if there's something you don't understand or that
seems incomplete.</div>
<div><br>
</div>
<div>These assume you already know what FreeIPA is, and
have it up and running. These also assume that all the
server pre-staging (for example, that all applicable DNS
records are already created) for the "enrollee" is done.
In sum, these are ideal if all you are missing is to
start enrolling Macs into the FreeIPA domain. And you'll
have to modify the files to match your FreeIPA domain;
we are using <a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>
for this.</div>
<div><br>
</div>
<div>The preflight script (freeipa-client-preinstall.sh)
will "clean" the environment of the enrollee, and backup
existing files that will be modified during the
enrollment process. It<br>
</div>
<div>
* Sets the DNS search domain</div>
<div>* Adds a "local" search domain to the enrollee to
speed up the login process if no FreeIPA server is
available during login</div>
<div>* Backs up edu.mit.Kerberos if it exists</div>
<div>* Backs up krb5.conf if it exists</div>
<div>* Backs up any existing LDAP info</div>
<div>* Backs
up /Library/Preferences/com.apple.loginwindow.plist</div>
<div><br>
</div>
<div>The postflight script (freeipa-client-postinstall.sh)
performs the enrollment. It</div>
<div>* Sets email notifications to know if the enrollment
failed or succeeded. These notifications will include
the who and the why, and a hardware profile from the
enrollee that we find useful</div>
<div>* Sets and tests many variables needed for a
successful enrollment like NTP syncing, a valid
hostname, and whether or not all applicable hosts
resolve thru your DNS servers</div>
<div>* Adjusts /Library/Preferences/com.apple.loginwindow
to work properly w/ FreeIPA accounts</div>
<div>* Gets opendirectoryd ready for FreeIPA</div>
<div>* Enrolls the host to FreeIPA thru multiple keytab
manipulations</div>
<div>* Gets around problems with anonymous binds in LDAP
by using a "hidden" user for enrollments</div>
<div>* Configures the SSH client for GSSAPI authentication</div>
<div>* Creates host keys and adds them to FreeIPA</div>
<div>* Deletes local user account and leaves home
directory intact. This will allow the owner of the
machine to log back in using his/her FreeIPA credentials
w/out noticing any changes. Of course, for this to
happen transparently the home directory has to be
massaged. Please let me know if you'd like to know how
we do this. I am omitting the details for now as this
outside the scope, me thinks.</div>
<div><br>
</div>
<div>The files inside the Payload folder are:</div>
<div><br>
</div>
<div>The authorization and screensaver files are FreeIPA
ready ones. The postflight script above puts them where
they need to go (/private/etc/pam.d). <br>
</div>
<div><br>
</div>
<div>The postflight will add a /private/etc/ipa folder to
the enrollee. This folder must contain the following
files: ca-crt, ca-crt-selfsigned, example.enroll.keytab.
These will make more sense as you go thru the code.
These are private, so I am not sharing them.</div>
<div><br>
</div>
<div>The postflight script will also put FreeIPA ready
versions of edu.mit.Kerberos and multiple LDAP config
files where they need to go (follow the folder structure
in the .zip file attached). These we are sharing; you
will have to modify them to match your FreeIPA domain.</div>
<div><br>
</div>
<div>And this is it. Apologies for the long read. We
welcome your feedback; if you have any please send it my
way :-)</div>
<div><br>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 17, 2014 at 4:29
PM, Chris Whittle <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:cwhittl@gmail.com" target="_blank">cwhittl@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I was able to take that script and
with some customizing get it to work with
Mavericks.... This should work, I tried to do a
find and replace to make it work like the github
one.</div>
<div>
<div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Wed, Apr 16,
2014 at 5:40 PM, Fredy Sanchez <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com"
target="_blank">fredy.sanchez@modmed.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">Sure Rob, we'll put
something together and send it to you
for publishing. Give us a few days.
We'll also sanitize our enrollment
package and share it w/ you too. This
is what we use to enroll our Macs, a
one time install that does what
ipa-client-install does for Linux,
including these LDAP mappings. We love
FreeIPA and will be really happy if
this helps any other users with Mac
fleets.</div>
<div class="gmail_extra">
<div>
<div><br>
<br>
<div class="gmail_quote">On Wed,
Apr 16, 2014 at 6:12 PM, Rob
Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>Fredy Sanchez wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
Hi Simo,<br>
<br>
Thanks for your reply.
Good old Google pointed me
to<br>
<a moz-do-not-send="true"
href="https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-l"
target="_blank">https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-l</a><br>
dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of<br>
updating the RealName
mapping to displayName.
This solved the problem,<br>
I'll have to recreate the
permissions for every
share, but the user<br>
names now show up, and
stick. No more UIDs.<br>
</blockquote>
<br>
</div>
Great. Any chance you can
write something and post a
howto on our wiki? Or send the
details to me and I'll write
something up?<br>
<br>
thanks<br>
<br>
rob<br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<br>
<br>
On Tue, Apr 15, 2014 at
9:30 AM, Simo Sorce <<a
moz-do-not-send="true"
href="mailto:simo@redhat.com"
target="_blank">simo@redhat.com</a><br>
</div>
<div>
<mailto:<a
moz-do-not-send="true"
href="mailto:simo@redhat.com"
target="_blank">simo@redhat.com</a>>>
wrote:<br>
<br>
On Fri, 2014-04-11 at
10:37 -0400, Fredy Sanchez
wrote:<br>
> Hi all,<br>
><br>
> We asked this
same question at <a
moz-do-not-send="true"
href="http://discussions.apple.com"
target="_blank">discussions.apple.com</a><br>
</div>
<<a
moz-do-not-send="true"
href="http://discussions.apple.com"
target="_blank">http://discussions.apple.com</a>>,
but figured we'd have
<div>
<div><br>
> better luck
here. I apologize in
advance if this is the
wrong forum.<br>
><br>
> We are
switching from Synology
(DSM 5) to Mavericks
server<br>
(v3.1.1. running<br>
> in Mavericks
10.9.2) for File
Sharing. We use a
FreeIPA<br>
(ipa-server.x86_64<br>
>
3.0.0-37.el6) backend
for SSO, and the Mac
server seems<br>
correctly<br>
> bound to it.
Unfortunately, although
we can add usernames to
the<br>
shares for<br>
> the initial
config, the usernames
transform to UIDs after
(only<br>
for SSO<br>
> accounts;
local accounts are not
affected). That is, when
we go<br>
to edit the<br>
> permissions
for a share, all we see
are UIDs. We can always<br>
figure out the<br>
> username from
the UID, but this is an
extra step we don't want
to<br>
have.<br>
> We've tried
reinstalling the Mac
server app from scratch,<br>
re-binding to the<br>
> FreeIPA
backend, changing
mappings in Directory
Utility (for example,<br>
> mapping
GeneratedUID to uid,
which is the username),
recreating<br>
the shares<br>
> and
permissions, etc. Here
are more details about
the binding:<br>
><br>
> * The binding
happens thru a custom
package we created based<br>
primarily on<br>
><br>
<a
moz-do-not-send="true"
href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8"
target="_blank">http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8</a><br>
> * Sys Prefs,
Users & Groups,
Login Options show the
server bound<br>
to the<br>
> FreeIPA
backend with the green
dot<br>
> * The
following mappings are
in place in Directory
Utility, Services,<br>
> LDAPv3,
FreeIPA backend<br>
><br>
> Users:
inetOrgPerson<br>
>
AuthenticationAuthority:
uid<br>
>
GeneratedUID: random
number in uppercase<br>
>
HomeDirectory:
#/Users/$uid$<br>
>
NFSHomeDirectory:
#/Users/$uid$<br>
>
OriginalHomeDirectory:
#/Users/$uid$<br>
>
PrimaryGroupID:
gidNumber<br>
> RealName:
cn<br>
>
RecordName: uid<br>
> UniqueID:
uidNumber<br>
>
UserShell: loginShell<br>
> Groups:
posixgroup<br>
>
PrimaryGroupID:
gidNumber<br>
>
RecordName: cn<br>
><br>
> The search
bases are correct<br>
><br>
> * Directory
Utility, Directory
Editor shows the right
info for<br>
the users.<br>
> * $ id
$USERNAME shows the
right information for
the user<br>
><br>
> FreeIPA is
working beautifully for
our Mac / Linux
environment.<br>
We provide<br>
> directory
services to about 300
hosts, and 200 employees
using<br>
it; and<br>
> haven't had
any problems LDAP wise
until now. So we think
we are<br>
missing a<br>
> mapping here.
Any ideas?<br>
<br>
Fredy,<br>
I quickly tried to
check for some
documentation on how to
configure this<br>
stuff, but found
only useless superficial
guides on how to find
the<br>
pointy/clicky
buttons to push to
enable the service.<br>
<br>
I am not a Mac
expert by a long shot so
I cannot help you much
here.<br>
<br>
Is there any guide
available on how to use
this service with other
LDAP<br>
servers, like
openLDAP or Active
Directory ? We can
probably draw some<br>
conclusions from
there.<br>
<br>
Simo.<br>
<br>
--<br>
Simo Sorce * Red
Hat, Inc * New York<br>
<br>
<br>
<br>
<br>
--<br>
Cheers,<br>
<br>
Fredy Sanchez<br>
IT Manager @ Modernizing
Medicine<br>
<a
moz-do-not-send="true"
href="tel:%28561%29%20880-2998%20x237" value="+15618802998"
target="_blank">(561)
880-2998 x237</a><br>
</div>
</div>
<a moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com"
target="_blank">fredy.sanchez@modmed.com</a>
<mailto:<a
moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com"
target="_blank">fredy.sanchez@modmed.com</a>><br>
<br>
*Need IT support?* Visit <a
moz-do-not-send="true"
href="https://mmit.zendesk.com"
target="_blank">https://mmit.zendesk.com</a><br>
<<a
moz-do-not-send="true"
href="https://mmit.zendesk.com/"
target="_blank">https://mmit.zendesk.com/</a>><br>
<br>
*<br>
<br>
<br>
* *<br>
*<br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
</blockquote>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<div dir="ltr">
<div style="text-align:right">
<div>
<div>
<div style="text-align:left">Cheers,</div>
<div style="text-align:left"><br>
</div>
<div style="text-align:left">Fredy
Sanchez</div>
<div style="text-align:left">IT
Manager @ Modernizing
Medicine</div>
<div style="text-align:left">
<div><a
moz-do-not-send="true"
href="tel:%28561%29%20880-2998%20x237"
value="+15618802998"
target="_blank">(561)
880-2998 x237</a></div>
<div><a
moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com"
target="_blank">fredy.sanchez@modmed.com</a></div>
</div>
<div style="text-align:left">
<div
style="clear:both;font-size:medium;font-family:Times;min-height:10px"><br>
</div>
</div>
</div>
</div>
<div>
<div style="text-align:left"><b>Need
IT support?</b> Visit <a
moz-do-not-send="true"
href="https://mmit.zendesk.com/"
style="font-weight:bold"
target="_blank">https://mmit.zendesk.com</a><br>
</div>
<div style="text-align:left">
<div style="width:650px">
<div
style="padding-top:10px;float:left">
<ul
style="color:rgb(153,153,153);font-family:ubuntu;font-size:8pt;line-height:15px;padding:0px;list-style:none">
<li><br>
</li>
</ul>
</div>
</div>
</div>
<div style="text-align:left">
<div
style="min-width:650px;font-size:medium;font-family:Times">
<div
style="padding-top:10px;font-family:ubuntu,verdana,arial,sans-serif;font-size:8pt;line-height:15px;float:left;color:rgb(153,153,153)">
<ul
style="margin:0px;padding:0px;list-style:none">
<li
style="padding:0px;margin:0px"><b
style="line-height:normal;font-family:arial,sans-serif;font-size:13px;color:rgb(34,34,34)"><br>
</b></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div style="text-align:right">
<div style="text-align:left">Cheers,</div>
<div style="text-align:left"><br>
</div>
<div style="text-align:left">
Fredy Sanchez</div>
<div style="text-align:left">IT Manager @
Modernizing Medicine</div>
<div style="text-align:left">
<div><a moz-do-not-send="true"
href="tel:%28561%29%20880-2998%20x237"
value="+15618802998" target="_blank">(561)
880-2998 x237</a></div>
<div><a moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com"
target="_blank">fredy.sanchez@modmed.com</a></div>
</div>
<div style="text-align:left">
<div
style="clear:both;font-size:medium;font-family:Times;min-height:10px"><br>
</div>
</div>
<div style="text-align:left"><b>Need IT support?</b> Visit <a
moz-do-not-send="true"
href="https://mmit.zendesk.com/"
style="font-weight:bold" target="_blank">https://mmit.zendesk.com</a><br>
</div>
<div style="text-align:left">
<div style="width:650px">
<div style="padding-top:10px;float:left">
<ul
style="color:rgb(153,153,153);font-family:ubuntu;font-size:8pt;line-height:15px;padding:0px;list-style:none">
<li><br>
</li>
</ul>
</div>
</div>
</div>
<div style="text-align:left">
<div
style="min-width:650px;font-size:medium;font-family:Times">
<div
style="padding-top:10px;font-family:ubuntu,verdana,arial,sans-serif;font-size:8pt;line-height:15px;float:left;color:rgb(153,153,153)">
<ul
style="margin:0px;padding:0px;list-style:none">
<li style="padding:0px;margin:0px"><b
style="line-height:normal;font-family:arial,sans-serif;font-size:13px;color:rgb(34,34,34)"><br>
</b></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div style="text-align:right">
<div style="text-align:left">Cheers,</div>
<div style="text-align:left"><br>
</div>
<div style="text-align:left">
Fredy Sanchez</div>
<div style="text-align:left">IT Manager @ Modernizing
Medicine</div>
<div style="text-align:left">
<div>(561) 880-2998 x237</div>
<div><a moz-do-not-send="true"
href="mailto:fredy.sanchez@modmed.com" target="_blank">fredy.sanchez@modmed.com</a></div>
</div>
<div style="text-align:left">
<div
style="color:rgb(0,0,0);font-family:Times;font-size:medium;clear:both;height:10px"><br>
</div>
</div>
<div style="text-align:left"><b>Need IT support?</b> Visit <a
moz-do-not-send="true" href="https://mmit.zendesk.com/"
style="font-weight:bold" target="_blank">https://mmit.zendesk.com</a><br>
</div>
<div style="text-align:left">
<div style="width:650px">
<div style="padding-top:10px;float:left">
<ul
style="color:rgb(153,153,153);font-family:ubuntu;font-size:8pt;line-height:15px;padding:0px;list-style:none">
<li><br>
</li>
</ul>
</div>
</div>
</div>
<div style="text-align:left">
<div
style="color:rgb(0,0,0);font-family:Times;font-size:medium;min-width:650px">
<div
style="padding-top:10px;font-family:ubuntu,verdana,arial,sans-serif;font-size:8pt;line-height:15px;float:left;color:rgb(153,153,153)">
<ul style="margin:0px;padding:0px;list-style:none">
<li style="padding:0px;margin:0px"><b
style="line-height:normal;font-family:arial,sans-serif;font-size:13px;color:rgb(34,34,34)"><br>
</b></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>