Hello All,
I have recently submitted a How/To https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 for FreeIPA. I'd very much appreciate any feedback or editing on it- I don't want to link to it without a review. Thanks!
We run almost the exact same setup...Which is sufficient, but not as great as it could be (Basically the password changing issues you've noted). We've also noticed that a single bad login attempt gets counted multiple times on the IPA server, so you can get locked accounts quicker than expected.
There was a guy on the list that had what sounded like a very promising alternative to this that did some ldap db modifications but I tried so many times to do it and could never get it to work :( The link is:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html
There is some good information, but I could just never get it to work...Would love if someone would step-by-step that one a little more in detail.
Also, as an aside...If you changed your password via FreeIPA gui (Or from another linux machine) you can update the FileVault password by issuing a "sudo" command...I usually just do "sudo -l" and then you're good. Not sure why, but we found that out over the years.
Also we edit a few other pam files, screensaver (So when you unlock you get a new ticket) and passwd (I think so you can change from cmd, although not 100% sure that works)
cat > /etc/pam.d/screensaver << 'EOF' auth optional pam_krb5.so use_first_pass use_kcminit default_principal auth sufficient pam_krb5.so use_first_pass default_principal auth required pam_opendirectory.so use_first_pass nullok account required pam_opendirectory.so account sufficient pam_self.so account required pam_group.so no_warn group=admin,wheel fail_safe account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe EOF
cat > /etc/pam.d/passwd << 'EOF' password sufficient pam_krb5.so auth required pam_permit.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_permit.so EOF
On 06/14/2017 12:02 PM, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 for FreeIPA. I'd very much appreciate any feedback or editing on it- I don't want to link to it without a review. Thanks!
--
*Jason Sherrill* Deeplocal Inc. http://deeplocal.com/ mobile: 412-636-2073 tel:%28412%29%20636-2073 office: 412-362-0201 tel:%28412%29%20362-0201
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
On 14/06/2017 18:02, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 for FreeIPA. I'd very much appreciate any feedback or editing on it- I don't want to link to it without a review. Thanks!
I used /etc/krb5.conf instead of /Library/Preferences/edu.mit.Kerberos which also seemed to work, but I noticed the MacOS client doesn't fall back to tcp, so if udp is blocked in your network you need to specify
[realms] EXAMPLE.COM = { kdc = tcp/ipa-server.example.com admin_server = tcp/ipa-server.example.com }
to get kinit and changing of an expired password to work (using kinit, haven't configured my accounts as system accounts yet)
--
*Jason Sherrill* Deeplocal Inc. http://deeplocal.com/ mobile: 412-636-2073 tel:%28412%29%20636-2073 office: 412-362-0201 tel:%28412%29%20362-0201
Regards, Jens Timmerman
Thank you Lee and Jens!
I've been testing your suggestions and I'll start deploying the changes next week.
On Thu, Jun 15, 2017 at 6:03 AM, Jens Timmerman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi,
On 14/06/2017 18:02, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 for FreeIPA. I'd very much appreciate any feedback or editing on it- I don't want to link to it without a review. Thanks!
I used /etc/krb5.conf instead of /Library/Preferences/edu.mit.Kerberos which also seemed to work, but I noticed the MacOS client doesn't fall back to tcp, so if udp is blocked in your network you need to specify
[realms] EXAMPLE.COM = { kdc = tcp/ipa-server.example.com admin_server = tcp/ipa-server.example.com }
to get kinit and changing of an expired password to work (using kinit, haven't configured my accounts as system accounts yet)
--
*Jason Sherrill* Deeplocal Inc. http://deeplocal.com/ mobile: 412-636-2073 <%28412%29%20636-2073>
office: 412-362-0201 <%28412%29%20362-0201>
Regards, Jens Timmerman
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Jason Sherrill -
Jens Timmerman -
Lee Wiscovitch