<div dir="ltr">You don't have to add them as an administrator for login to work, just sudo. Will send one over in a second.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 21, 2016 at 12:11 PM, Cal Sawyer <span dir="ltr"><<a href="mailto:cal-s@blue-bolt.com" target="_blank">cal-s@blue-bolt.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<hits brakes, swerves> ... "have to add the user as an
administrator on the local machine"? That's pretty intriguing, but
not great security-wise, unfortunately. Not a big deal at the
moment, though<br>
<br>
ok, just made my user account an admin but it's still dragging on
login.<br>
<br>
My IPA setup is the same:
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64<br>
<br>
Any chance i could get a denatured plist from you offline, Joe?<br>
<br>
cheers<span class=""><br>
<pre cols="72">Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
<a href="tel:%2B44%20%280%2920%207637%205575" value="+442076375575" target="_blank">+44 (0)20 7637 5575</a> | <a href="http://www.blue-bolt.com" target="_blank">www.blue-bolt.com</a>
</pre>
</span><div><div class="h5"><div>On 21/06/16 16:07, Joe DiTommasso
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">No fiddling that I remember. Basically got the
setup working once and then have been pushing out plist files to
all new installs. Graphical login works, as does sudo, sort
of-still have to add the user as an administrator on the local
machine, but then their kerberos password works for
authentication. Running up-to-date-ish IPA 4 on CentOS 7.
<div><br>
</div>
<div>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(52,189,38)">jdito</span>@<span style="color:rgb(52,187,199)">sum-freeipa-01</span>:<span style="color:rgb(195,55,32)">~</span>$ rpm -qa | grep ipa</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(195,55,32)"><b>ipa</b></span>-python-4.2.0-15.0.1.el7.centos.6.1.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">lib<span style="color:rgb(195,55,32)"><b>ipa</b></span>_hbac-1.13.0-40.el7_2.4.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(195,55,32)"><b>ipa</b></span>-server-4.2.0-15.0.1.el7.centos.6.1.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">python-in<span style="color:rgb(195,55,32)"><b>ipa</b></span>rse-0.4-9.el7.noarch</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(195,55,32)"><b>ipa</b></span>-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">sssd-<span style="color:rgb(195,55,32)"><b>ipa</b></span>-1.13.0-40.el7_2.4.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(195,55,32)"><b>ipa</b></span>-client-4.2.0-15.0.1.el7.centos.6.1.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo">python-lib<span style="color:rgb(195,55,32)"><b>ipa</b></span>_hbac-1.13.0-40.el7_2.4.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><span style="color:rgb(195,55,32)"><b>ipa</b></span>-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64</p>
<p style="margin:0px;font-size:11px;line-height:normal;font-family:Menlo"><br>
</p>
<p style="margin:0px;line-height:normal"><font face="arial,
helvetica, sans-serif">Let me know what you'd like to see
from my config. Thanks for the tip on the secondary
groups-I already had that in there, but looking at it
realized that I needed to point at the compat tree,
because the regular one doesn't expose memberUID.</font></p>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jun 21, 2016 at 10:42 AM, Cal
Sawyer <span dir="ltr"><<a href="mailto:cal-s@blue-bolt.com" target="_blank">cal-s@blue-bolt.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Wow, that's
surprising, Joe. I'm also using the linsec recipe. Yours
required no fiddling? You can login straight off from
the graphical loginWindow?<br>
<br>
Yes, very interested in any help you can offer. Are you
authenticating against IPA 3 or 4, for sake of curiosity.<br>
<br>
BTW: you can get your secondary groups by:<br>
<br>
In Groups add attribute 'GroupMembership' mapped to
'memberUID'<br>
<br>
thanks!<br>
<pre cols="72"><span>Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
</span><a href="tel:%2B44%20%280%2920%207637%205575" value="+442076375575" target="_blank">+44 (0)20 7637 5575</a> | <a href="http://www.blue-bolt.com" target="_blank">www.blue-bolt.com</a>
</pre>
<div>
<div>
<div>On 21/06/16 15:07, Joe DiTommasso wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I've actually got a whole stack of El
Capitan clients authenticating against FreeIPA:
<div><br>
<div>
<div>mac-mini-01:~ jdito$ system_profiler
SPSoftwareDataType</div>
<div>Software:</div>
<div><br>
</div>
<div> System Software Overview:</div>
<div><br>
</div>
<div> System Version: OS X 10.11.5
(15F34)</div>
<div> Kernel Version: Darwin 15.5.0</div>
<div> Boot Volume: Macintosh HD</div>
<div> Boot Mode: Normal</div>
<div> Computer Name: admin’s Mac mini</div>
<div> User Name: Joe DiTommasso (jdito)</div>
<div> Secure Virtual Memory: Enabled</div>
<div> System Integrity Protection:
Enabled</div>
<div> Time since boot: 14 days 15:00</div>
<div><br>
</div>
</div>
</div>
<div>The Linsec guide worked for me. The only real
issue is that it only sees the user's primary
group, and not supplemental groups. I'm not
terribly good with Macs, but happy to assist in
troubleshooting.</div>
<div><br>
</div>
<div>Joe</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jun 21, 2016 at
9:46 AM, Cal Sawyer <span dir="ltr"><<a href="mailto:cal-s@blue-bolt.com" target="_blank"></a><a href="mailto:cal-s@blue-bolt.com" target="_blank">cal-s@blue-bolt.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> As
usual, apologies for any formatting issues
due to extracting message threads out of
digests ...<br>
<br>
Anyhow., i have determined where everything
goes terribly wrong with OSX clients: OSX
10.10.3 ("out of the box" Yosemite) works
fine using <a href="http://linsec.ca" target="_blank">linsec.ca</a>'s
guidance. However, the second you patch to
10.10.5 or upgrade to El Capitan (10.11.5),
authentication fails absolutely in the ways
described in earlier threads. Colleagues
who i've spoken with who are trying to set
up IPA at their facilities report the same
problem and it's a total show-stopper.
Interesting how all(?) of what is written on
the topic of OSX and IPA dries up after
10.8, although we've seen in an earlier
thread reports of 10.9 working. I've
repeated this test a few times and the
result is always the same. - 10.10.3 is the
last OSX capable of authenticating against
IPA using currently available knowledge. <br>
<br>
Running tcpdump on 10.10.3 and a 10.10.5
clients show very different authentication
dialogues. I'm afraid, however, that i lack
the skills to interpret where exactly the
later OSX release is failing. I have my
(unfounded) suspicions - that SASL binding
for LDAP and kerberos are implicated.
10.10.3 certainly shows no kerberos
transactions whereas 10.10.5<br>
<br>
Re DNS: both client types resolve all SRV
records hosted in IPA fine. I even went so
far as setting up rudimentary ipv6 as there
were some AAAA requests that were going
unanswered and it thought it might related
(not, as it turns out)<br>
<br>
So, would anyone on the IPA team be
interested in looking at some packet
captures? I'm completely up for working
with you, providing whatever is needed and
doing testing. It would be fantastic to
restore IPA-based auth for newer OSX
releases.<br>
<br>
best regards,<br>
<br>
- cal sawyer <br>
<blockquote>
<pre cols="72">From: John Obaterspok <a href="mailto:john.obaterspok@gmail.com" target="_blank"><john.obaterspok@gmail.com></a>
To: Nicola Canepa <a href="mailto:canepa.n@mmfg.it" target="_blank"><canepa.n@mmfg.it></a>
Cc: <a href="mailto:freeipa-users@redhat.com" target="_blank">"freeipa-users@redhat.com"</a> <a href="mailto:freeipa-users@redhat.com" target="_blank"><freeipa-users@redhat.com></a>, Cal Sawyer
<a href="mailto:cal-s@blue-bolt.com" target="_blank"><cal-s@blue-bolt.com></a>
</pre>
<blockquote> Hi, Are you only having
problems to login to login to OSX with
the IPA user now? If that is the case
then check the DNS settings you are
using and make sure the IPA server is
listed first and that it has full name.
Exactly the same problem occurred for me
with the slow logins to OSX which was
due to the DNS settings and that OSX
only used short name of IPA server
during login (if I logged in as local
user I could ping and lookup hosts using
short name) -- john 2015-12-21 17:49
GMT+01:00 Nicola Canepa <a href="mailto:canepa.n@mmfg.it" target="_blank"></a><a href="mailto:canepa.n@mmfg.it" target="_blank"><canepa.n@mmfg.it></a>:
<blockquote type="cite">
<blockquote type="cite">
<pre>I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
did a "dscacheutil -flushcache", both as the logged in user and as root.
I tried enabling the anonymous bind and now also the directory browser
(and all the login process) works as expected.
Nicola
Il 21/12/15 17:39, Cal Sawyer ha scritto:
Thanks, John and Nicola
Kerberos occurred to me as well late in the day yesterday. Happily (?),
knit works fine simply specifying the user in question with no need to
suffix with the kerberos realm
I did find that my test user had an expired password, which i fixed on the
IPA server. This was never flagged up under Linux, btw. It has not change
anything, however, other than not prompting for password changes that never
take effect. Funnily, it expired in the midst of testing - fun.
I was mistaken when i said i was unable to log in - it turns out that it
takes almost 10 minutes for a login from the frintend to complete - i just
didn't wait long enough. 10 mins is of course unacceptable :) "su - user"
and "login user" fail outright after rejecting accept any user's password
DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
In line with Nicola's experience, i can browse groups and users in the
Directory Editor and all attributes appear spot on.
Besides modding /etc/pam.d/authorization, adding a corrected
edu.mit.kerberos to /LibraryPreferences and setting up the directory per
<a href="http://linsec.ca" target="_blank">linsec.ca</a>, can anyone think of something i may have missed? It's a real
shame that the documentation on this stops around 5 years ago.
IPA devs: is there anything i should be on the lookout for in the dirsrv
or krb5 logs on the IPA master? I've disabled the secondary to prevent
replication from clouding the log events
thanks, everyone
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW<a href="tel:%2B44%20%280%2920%207637%205575" value="+442076375575" target="_blank">+44 (0)20 7637 5575</a> | <a href="http://www.blue-bolt.com" target="_blank">www.blue-bolt.com</a>
On 21/12/15 07:57, Nicola Canepa wrote:
Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
opposite problem: kinit works fine, while I'm unable to see users with
Directory Admin ((it always says it cant' connect, either with or without
SSL)
I disabled anonymous searches in 389-ds, by the way.
Nicola
Il 21/12/15 07:50, John Obaterspok ha scritto:
Hi Cal,
Does a kinit work from a terminal? Does it work if you use "kinit user" or
just if you use "kinit <a href="mailto:user@REALM.suffix" target="_blank"><user@REALM.suffix></a><a href="mailto:user@REALM.suffix" target="_blank">user@REALM.suffix</a>"
-- john
2015-12-20 15:09 GMT+01:00 Cal Sawyer <a href="mailto:cal-s@blue-bolt.com" target="_blank"><cal-s@blue-bolt.com></a>:
</pre>
<blockquote type="cite">
<pre>Hi, all
I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
10.10.5 (Yosemite) client
Using the excellent instructions at
<a href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server" target="_blank"><http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server></a>
<a href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server" target="_blank">http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server</a>,
I've populated the specified files, d/l'd the cert, am able to configure
Users and Groups objects/attribs and browse both from within OSX's
Directory Utility. ldapsearch similarly returns the expected results.
In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
system
dirsrv log on the ipa master shows no apparent errors - remote auth
attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
truth, there so much stuff there and being rather inexperienced with LDAP
diags i might easily be missing something in the details
The <a href="http://linsec.ca" target="_blank">linsec.ca</a> instructions were written in the 10.7-10.8 era so
something may have changed since. Having said that, we've had no problems
authenticating against our existing OpenLDAP server (which IPA is slated to
replace) right up to 10.10.5 with no zero to our Directory Utility setup.
Hoping someone here has some contemporary experience with OSX and IPA and
for whom this issue rings a bell?
many thanks
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | <a href="http://www.blue-bolt.com" target="_blank">www.blue-bolt.com</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<br>
</div>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for
more info on the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>