Hello, we have a mixed environment with Windows, Linux, and Mac OSX systems. I was trying to test out FreeIPA for basic authentication in this environment, but so far nothing has worked. Currently for testing I have FreeIPA 4.6.90.pre1 installed. I tried the walkthrough for Mac OSX and kerberos worked, but I could not get the OS login to do anything but local users. Windows desktop system would not even see the kerberos realm so could not do anything, and Windows domain controller when I try to add trust on FreeIPA I get an error that says "ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted login is invalid. This is either duet to a bad username or authentication information." (both may be "None")". In every case I was just following what is shown on the web site for the how to's on this. The Mac system is running high sierra with latest patches. The windows desktop is Windows 10 with latest patches and the windows server is Windows Server 2016, I used domain functional level 2016, 2008, and 2012, all did the same thing.
Hi Jeff,
Concerning your issues with freeIPA and Mac OS X, are local user accounts created and then converted to mobile accounts ($ sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n *username)? *Otherwise, I would verify the Directory Utility configuration. I found that incorrect initial mappings are resistant to correction and may require deleting your configuration and rebuilding entirely.
On Fri, May 4, 2018 at 1:03 PM Jeffrey Parker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello, we have a mixed environment with Windows, Linux, and Mac OSX systems. I was trying to test out FreeIPA for basic authentication in this environment, but so far nothing has worked. Currently for testing I have FreeIPA 4.6.90.pre1 installed. I tried the walkthrough for Mac OSX and kerberos worked, but I could not get the OS login to do anything but local users. Windows desktop system would not even see the kerberos realm so could not do anything, and Windows domain controller when I try to add trust on FreeIPA I get an error that says "ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted login is invalid. This is either duet to a bad username or authentication information." (both may be "None")". In every case I was just following what is shown on the web site for the how to's on this. The Mac system is running high sierra with latest patches. The windows desktop is Windows 10 with latest patches and the windows server is Windows Server 2016, I used domain functional level 2016, 2008, and 2012, all did the same thing. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I did create local user accounts and converted to mobile, but there never seemed to be any link to FreeIPA on those accounts. When I went to browse the accounts in Mac OS X it could not connect to the directory server. I did get Active Directory working and was able to get Mac OS X working with Active Directory.
It sounds that there is an issue with connecting to the LDAP service (you can authenticate w/ kinit but can't browse the directory). It could be server's firewall but I suspect you are not having an issue with Linux workstations. Mac OS's directory services setup is likely the issue, if in *Directory Utility > Directory Editor *with a freeIPA node selected there are no objects. I'd verify that the server's public cert is installed on the workstation and working (web browse from workstation to freeIPA server). If the cert test works, delete the LDAPv3 service from the Directory Utility and rebuild the service configuration.
On Tue, May 8, 2018 at 10:33 AM Jeffrey Parker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I did create local user accounts and converted to mobile, but there never seemed to be any link to FreeIPA on those accounts. When I went to browse the accounts in Mac OS X it could not connect to the directory server. I did get Active Directory working and was able to get Mac OS X working with Active Directory. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I did that and it seemed to be better, could see the users, browse the tree, etc, but when logging in as one of the FreeIPA users the login just fails like before.
freeipa-users@lists.fedorahosted.org
-
Jason Sherrill -
Jeffrey Parker