Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3 Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave.
What I have found so far using the config instructions - may be error prone now as the number of combinations tried!
Anonymous bind enabled on freeipa: Works If you also specify a real user in the Directory Utility auth RootDSE only enabled on freeipa : Works If you also specify a real user in the Directory Utility auth section (not a service account) No anonymous binds : Will not play at all.
Now the thing that is really throwing me, is that GSSAPI ldapsearch works just fine from the command line (using -Y GSSAPI) but directory utility seems unable to use these credentials. I'm totally unsure if this is an OS limitation (as the login screen wouldn't have any creds until a user has typed them) or if I've managed to screw something up. From browsing my LDAP access logs it looks like only conventional binds are attempted regardless. On the mac side it did until recently still mentions GSSAPI attempts (when anonymous LDAP is disabled) although these couldn't be found int he LDAP log. It feels like the Mac client is unable to work out how to present the krb credential due to a mapping issue or DNS discovery issue (both my IPA servers have RDNS entries).
Other notable log entries on the Mac side are " failed to retrieve password for credential", and "failed to retrieve server schema". These both occur under the rootdse only ldap config.
I'd like to be in a position where I can either have a very reduced access LDAP user enabled on all Mac clients, or that they can harness the host or user keytab in order to require no special LDAP credentials of their own.
Most of all I suppose I want to know what should work, or be workable!
Hope this makes sense, and thanks in advance,
David
p.s. I'm still not sure if I've managed to join this list, so subject to moderation, and I might require an explicit reply to in order to get responses!
Note.
The GSSAPI attempts from the MAc side are only attempted when a binddn (security -> "use authentication when connecting") account is provided. Otherwise I suspect it's unable to even work out what type of GSSAPI transaction to attempt..
On 19 September 2017 at 15:19, David Harvey davidcharvey@googlemail.com wrote:
Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3 Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave.
What I have found so far using the config instructions - may be error prone now as the number of combinations tried!
Anonymous bind enabled on freeipa: Works If you also specify a real user in the Directory Utility auth RootDSE only enabled on freeipa : Works If you also specify a real user in the Directory Utility auth section (not a service account) No anonymous binds : Will not play at all.
Now the thing that is really throwing me, is that GSSAPI ldapsearch works just fine from the command line (using -Y GSSAPI) but directory utility seems unable to use these credentials. I'm totally unsure if this is an OS limitation (as the login screen wouldn't have any creds until a user has typed them) or if I've managed to screw something up. From browsing my LDAP access logs it looks like only conventional binds are attempted regardless. On the mac side it did until recently still mentions GSSAPI attempts (when anonymous LDAP is disabled) although these couldn't be found int he LDAP log. It feels like the Mac client is unable to work out how to present the krb credential due to a mapping issue or DNS discovery issue (both my IPA servers have RDNS entries).
Other notable log entries on the Mac side are " failed to retrieve password for credential", and "failed to retrieve server schema". These both occur under the rootdse only ldap config.
I'd like to be in a position where I can either have a very reduced access LDAP user enabled on all Mac clients, or that they can harness the host or user keytab in order to require no special LDAP credentials of their own.
Most of all I suppose I want to know what should work, or be workable!
Hope this makes sense, and thanks in advance,
David
p.s. I'm still not sure if I've managed to join this list, so subject to moderation, and I might require an explicit reply to in order to get responses!
Hello David,
I'm experiencing similar issues with ldapsearch command, though no issues authenticating for logon, ssh (to linux machines), DNS updates, and directory services. I'm confident the issue lies with MacOS.
I'm running MacOS 10.12.6 and IPA 4.5.
I'll keep digging, just wanted to let you know you've been heard.
- Jason
On Tue, Sep 19, 2017 at 10:40 AM, David Harvey via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Note.
The GSSAPI attempts from the MAc side are only attempted when a binddn (security -> "use authentication when connecting") account is provided. Otherwise I suspect it's unable to even work out what type of GSSAPI transaction to attempt..
On 19 September 2017 at 15:19, David Harvey davidcharvey@googlemail.com wrote:
Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3 Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave.
What I have found so far using the config instructions - may be error prone now as the number of combinations tried!
Anonymous bind enabled on freeipa: Works If you also specify a real user in the Directory Utility auth RootDSE only enabled on freeipa : Works If you also specify a real user in the Directory Utility auth section (not a service account) No anonymous binds : Will not play at all.
Now the thing that is really throwing me, is that GSSAPI ldapsearch works just fine from the command line (using -Y GSSAPI) but directory utility seems unable to use these credentials. I'm totally unsure if this is an OS limitation (as the login screen wouldn't have any creds until a user has typed them) or if I've managed to screw something up. From browsing my LDAP access logs it looks like only conventional binds are attempted regardless. On the mac side it did until recently still mentions GSSAPI attempts (when anonymous LDAP is disabled) although these couldn't be found int he LDAP log. It feels like the Mac client is unable to work out how to present the krb credential due to a mapping issue or DNS discovery issue (both my IPA servers have RDNS entries).
Other notable log entries on the Mac side are " failed to retrieve password for credential", and "failed to retrieve server schema". These both occur under the rootdse only ldap config.
I'd like to be in a position where I can either have a very reduced access LDAP user enabled on all Mac clients, or that they can harness the host or user keytab in order to require no special LDAP credentials of their own.
Most of all I suppose I want to know what should work, or be workable!
Hope this makes sense, and thanks in advance,
David
p.s. I'm still not sure if I've managed to join this list, so subject to moderation, and I might require an explicit reply to in order to get responses!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Thanks for your response and time Jason, much appreciated. It sounds like you in fact have almost the opposite symptoms to me, how strange! I did find that ldapsearch using -Y for GSSAPI was failing on Mac until I sorted out the reverse DNS entries for my IPA servers. The symptom was the ldapsearch error output referring to the IP of the machine rather than the hostname - even though I defined the host by name not IP for the command. A host file entry got it working as a "stop gap", before I could add my RDNS entry (I'm using Amazon route53 so the scope for me to have screwed up the DNS is considerable). Prior to this entry I just had the DNS bits from "ipa dns-update-system-records --dry-run", but now I have 2x RDNS entries added for the main names of my IPA servers (but not yet for the ipa-ca.domain.net)
Just to confirm, are you using a bind account in order to connect with Directory Utility?
Best,
David
On 19 September 2017 at 23:16, Jason Sherrill via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello David,
I'm experiencing similar issues with ldapsearch command, though no issues authenticating for logon, ssh (to linux machines), DNS updates, and directory services. I'm confident the issue lies with MacOS.
I'm running MacOS 10.12.6 and IPA 4.5.
I'll keep digging, just wanted to let you know you've been heard.
- Jason
On Tue, Sep 19, 2017 at 10:40 AM, David Harvey via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Note.
The GSSAPI attempts from the MAc side are only attempted when a binddn (security -> "use authentication when connecting") account is provided. Otherwise I suspect it's unable to even work out what type of GSSAPI transaction to attempt..
On 19 September 2017 at 15:19, David Harvey davidcharvey@googlemail.com wrote:
Some edits and expansion on my previous attempt to post...
Free IPA 4.4.3 Mac OSX 10.12
Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave.
What I have found so far using the config instructions - may be error prone now as the number of combinations tried!
Anonymous bind enabled on freeipa: Works If you also specify a real user in the Directory Utility auth RootDSE only enabled on freeipa : Works If you also specify a real user in the Directory Utility auth section (not a service account) No anonymous binds : Will not play at all.
Now the thing that is really throwing me, is that GSSAPI ldapsearch works just fine from the command line (using -Y GSSAPI) but directory utility seems unable to use these credentials. I'm totally unsure if this is an OS limitation (as the login screen wouldn't have any creds until a user has typed them) or if I've managed to screw something up. From browsing my LDAP access logs it looks like only conventional binds are attempted regardless. On the mac side it did until recently still mentions GSSAPI attempts (when anonymous LDAP is disabled) although these couldn't be found int he LDAP log. It feels like the Mac client is unable to work out how to present the krb credential due to a mapping issue or DNS discovery issue (both my IPA servers have RDNS entries).
Other notable log entries on the Mac side are " failed to retrieve password for credential", and "failed to retrieve server schema". These both occur under the rootdse only ldap config.
I'd like to be in a position where I can either have a very reduced access LDAP user enabled on all Mac clients, or that they can harness the host or user keytab in order to require no special LDAP credentials of their own.
Most of all I suppose I want to know what should work, or be workable!
Hope this makes sense, and thanks in advance,
David
p.s. I'm still not sure if I've managed to join this list, so subject to moderation, and I might require an explicit reply to in order to get responses!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
--
*Jason Sherrill* *IT Specialist* Deeplocal Inc. http://deeplocal.com/ mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org