Enroll Mac in Kerberos: Difference between revisions
Jump to navigation
Jump to search
(Created page with "# Create host on IPA # Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; # On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022") |
No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you! | |||
# Set bash as your default shell: [[New_Mac_Setup#Use_Bash_as_Shell]] | |||
# Create host on IPA | # Create host on IPA | ||
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | # Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | ||
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | # On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | ||
# Ensure /etc/krb5.conf file has the correct contents. | |||
# Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt | |||
# As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA | |||
# Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/user.key -out ~/Library/IPA/user.csr | |||
# Go to your user in IPA | |||
# Click on Actions > New Certificate | |||
# CA = ipa | |||
# Profile ID = caIPAserviceCert | |||
# Paste the contents of this command into the big textfield: cat ~/Library/IPA/user.csr | |||
# Request the certificate | |||
# Store the resulting certificate in ~/Library/IPA/user.crt | |||
# Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username! | |||
## alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>" | |||
## ds_pkinit & disown | |||
== krb5.conf == | |||
<pre> | |||
[libdefaults] | |||
default_realm = DELFTSOLUTIONS.NL | |||
kdc_timesync = 1 | |||
ccache_type = 4 | |||
forwardable = true | |||
proxiable = true | |||
fcc-mit-ticketflags = true | |||
ticket_lifetime = 24h | |||
[appdefaults] | |||
pkinit_anchors = FILE:/etc/ipa/ca.crt | |||
[realms] | |||
DELFTSOLUTIONS.NL = { | |||
default_domain = delftsolutions.nl | |||
} | |||
[domain_realm] | |||
.delftsolutions.nl = DELFTSOLUTIONS.NL | |||
delftsolutions.nl = DELFTSOLUTIONS.NL | |||
</pre> | |||
Latest revision as of 06:56, 12 February 2025
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you!
- Set bash as your default shell: New_Mac_Setup#Use_Bash_as_Shell
- Create host on IPA
- Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
- On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
- Ensure /etc/krb5.conf file has the correct contents.
- Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
- As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
- Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/user.key -out ~/Library/IPA/user.csr
- Go to your user in IPA
- Click on Actions > New Certificate
- CA = ipa
- Profile ID = caIPAserviceCert
- Paste the contents of this command into the big textfield: cat ~/Library/IPA/user.csr
- Request the certificate
- Store the resulting certificate in ~/Library/IPA/user.crt
- Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username!
- alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>"
- ds_pkinit & disown
krb5.conf
[libdefaults]
default_realm = DELFTSOLUTIONS.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
ticket_lifetime = 24h
[appdefaults]
pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
DELFTSOLUTIONS.NL = {
default_domain = delftsolutions.nl
}
[domain_realm]
.delftsolutions.nl = DELFTSOLUTIONS.NL
delftsolutions.nl = DELFTSOLUTIONS.NL