Подключение MacOS к FreeIPA¶

Setup Kerberos on MacOS¶

Kerberos is used also for Integrated Authentication (aka Windows Authentication) on macOS or Linux you will need to setup a Kerberos ticket linking your current user to a Windows domain account.

Configuring KDC in /etc/krb5.conf¶

sudo vi /etc/krb5.conf

[libdefaults]
  default_realm = <DOMAIN>.RU

[realms]
TRUEDEV.RU = {
  kdc = freeipa.domain.ru
}

default_realm Domain дожно быть в верх регистре

если не создать и не указать kdc , то kinit не сможет найти к какому kdc подключаться в том случае если freeipa устанавливалась без dns и ns сервера не обслуживают этот домен еще нужно чтобы REALM определялся для узла должна быть записьв зоне обратного просмотра PTR указывающая нам ❯ host 15.142.76.112 112.76.142.15.in-addr.arpa domain name pointer freeipa..ru

Use the command kinit username@DOMAIN.COMPANY.COM to get a TGT from KDC. You will be prompted for your domain password. kinit admin@<domain> Use klist to see the available tickets. If the kinit was successful, you should see a ticket and Ticket Viewer on macos

Credentials cache: API:14589D7F-036C-4CD0-94D7-5B0DCBE7C07E
        Principal: admin@<DOMAIN>

  Issued                Expires               Principal
Jan 12 13:32:27 2024  Jan 12 23:32:24 2024  krbtgt/<DOMAIN>@<DOMAIN>
Jan 12 13:46:18 2024  Jan 12 23:32:24 2024  ldap/ipa.<domain>@<DOMAIN>

Testing the Ticket Granting Ticket retrieval¶

Use the command kinit username@TRUEDEV.RU to get a TGT from KDC. You will be prompted for your domain password. kinit username@TRUEDEV.RU
Use klist to see the available tickets. If the kinit was successful, you should see a ticket. klist

Next, you need to download the ca.crt from the IPA server:

# sudo su -
# cd /etc/
# mkdir ipa
# cd ipa
# curl -OL http://freeipa.truedev.ru/ipa/config/ca.crt

The one thing to note is that you will almost definitely need to set “allow_weak_crypto = yes”, unfortunately. The next step is to edit /etc/pam.d/authorization. This is done instead of editing /etc/authorization as was done in the past. OS X now uses PAM to handle Kerberos authentication, and has the required pam_krb5 module already noted. A working /etc/pam.d/authorization file follows:

# authorization: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
auth       sufficient     pam_krb5.so use_first_pass default_principal
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so

This will allow you to kinit on the system and access kerberized services. By adding “default_principal” and calling pam_krb5.so twice you ensure that you get a Kerberos ticket when you log in. Otherwise the system will authenticate against Kerberos with your password, but will not obtain a ticket.

IPA Enrollment¶

Because we cannot enroll the system into IPA the easy way, we need to visit the web UI and add a new host. In the IPA web UI, go the Identity and then the Hosts page. Click the “Add” button, where you will need to add the fully qualified domain name of the host (e.g. mac.truedev.ru), and then click the “Add and Edit” button. You don’t need to add much here, other than the MAC address of the system, and the SSH public keys, which can be found in /etc/ssh_host_dsa_key.pub and /etc/ssh_host_rsa_key.pub. The Ethernet MAC address can be found via either ifconfig or System Preferences.

This, unfortunately, does not generate a keytab file for the host, so on the server, using the ipa-getkeytab program, we will create an obtain the keytab for our new host:

# ipa-getkeytab -s freeipa.truedev.ru -p host/mac.truedev.ru -k ~/mac.keytab
Keytab successfully retrieved and stored in: ~/mac.keytab
# ipa host-show mac
  Host name: mac.truedev.ru
  Principal name: host/mac.truedev.ru@TRUEDEV.RU
  MAC address: 00:00:00:AA:1B:14
  SSH public key fingerprint: AF:A6:75:4C:7B:7B:C5:20:8E:C6:81:60:CC:4C:1C:25 (ssh-dss),
    30:19:4E:F5:34:CB:0B:76:24:0E:D0:F9:A3:7D:5E:E2 (ssh-rsa)
  Password: False
  Keytab: True
  Managed by: mac.truedev.ru

The key here is we want to use host/[FQDN] as the kerberos principal.

Incidentally, you can add the host from the command line using ipa host-add as well, but with the web UI you can cut and paste the SSH pubkeys.

Now that the keytab is generated, just copy it from the server to the new workstation and place it in /etc/krb5.keytab. Make sure the file is owned by the user root and group wheel (root:wheel) and is mode 0600.

Setup Directory Utility¶

Open Directory Utility

For the above you, you have a choice for the HomeDirectory and NFSHomeDirectory name="__codelineno-5-1" href="#__codelineno-5-1">Services - Edit LDAPv3 - New LDAP connection: Connection: Configuration name: freeipa.truedev.ru Server name or ip: freeipa.truedev.ru Encrypt using ssl: yes Use custom port: no Search and Mappings: Access this LDAPv3 server using: Custom Record Types and Attributes: Groups : Search base: cn=groups,cn=accounts,dc=truedev,dc=ru Map top ANY items in list: posixgroup PrimaryGroupID: gidNumber RecordName: cn Users : Search base: dc=truedev,dc=ru Map top ANY items in list: inetOrgPerson AutheticationAuthority: uid RealName: cn RecordName: uid HomeDirectory: #/Users/$uid$ NFSHomeDirectory: #/Users/$uid$ (NOTE: odd as it sounds, this seems to be required, even if you’re not using NFS) PrimaryGroupID: gidNumber UniqueID: uidNumber UserShell: loginShell Security: User authetication when connecting: Distinguished Name: admin Password: ... options. If you use homeDirectory for both, it will map to /home/[user] which is fine for automounted home directories (/home/ is an automount on OS X). However, if you want a local directory on the machine for the user (not an automounted/shared home directory), use #/Users/$uid$ instead.

alt text

SystemPreferences - Users & Groups - Network account server - must be a Green circle

Creating Home Directories¶

If you elected to have the home directory on the local system (using /Users/[user]), you have one further step to make. OS X does not auto-create home directories for LDAP-based users, so you will need to create them yourself. All you need to do is create the directory, upon first login, the rest will be populated:

$ sudo su -
# mkdir /Users/testuser
# chown testuser:testuser /Users/testuser

The default group for local OS X users is staff which is not used with IPA. So for remote users, you will want to use the user’s group and private group as defined in IPA (usually the same name, like testuser:testuser). So home directories, when created, will propagate group ownership; if you create the home directory as [user]:staff then all files beneath it will be owned [user]:staff; if you create it [user]:[group], then all files beneath the home directory will be created with the same ownership.

So, when creating the home directory use chown vdanen:vdanen (or [user]:[group]) and then all files created beneath the directory will have the correct ownership.

Finally, make a trip to System Preferences, in particular the Users & Groups settings. Click the “Login Options”. Here you will want to ensure that the following are set:

Display login window as: Name and password (otherwise network users cannot login) Allow network users to log in at login window (checked, you can restrict to certain users by clicking “Options…” Network Account Server is set and has a green light (should display the IPA server’s hostname)

References¶

https://www.qnap.com/en/how-to/tutorial/article/how-to-connect-macos-to-ldap-services-by-using-an-open-directory-utility-for-accessing-files-on-qnap-nas
https://thrysoee.dk/kerberos/
https://github.com/microsoft/vscode-mssql/wiki/How-to-enable-Integrated-Authentication-on-macOS-and-Linux-using-Kerberos