Enroll Mac in Kerberos: Difference between revisions

From Delft Solutions
Jump to navigation Jump to search
m (Protected "Enroll Mac in Kerberos": Security ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
# Ensure /etc/krb5.conf file has the correct contents
# Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
# As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
# Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/laptop.key -out ~/Library/IPA/laptop.csr
# Go to your user in IPA
# Click on Actions > New Certificate
# CA = ipa
# Profile ID = KDCs_PKINIT_Certs
# Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr
# Request the certificate
# Store the resulting certificate in ~/Library/IPA/laptop.crt
== krb5.conf ==
<pre>
[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h
[appdefaults]
    pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
        pkinit_identity = FILE:/Users/<username>/Library/IPA/laptop.crt,/Users/<username>/Library/IPA/laptop.key
    }
[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL
</pre>

Latest revision as of 04:37, 20 June 2024

  1. Create host on IPA
  2. Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
  3. On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
  4. Ensure /etc/krb5.conf file has the correct contents
  5. Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
  6. As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
  7. Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/laptop.key -out ~/Library/IPA/laptop.csr
  8. Go to your user in IPA
  9. Click on Actions > New Certificate
  10. CA = ipa
  11. Profile ID = KDCs_PKINIT_Certs
  12. Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr
  13. Request the certificate
  14. Store the resulting certificate in ~/Library/IPA/laptop.crt

krb5.conf

[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h

[appdefaults]
    pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
        pkinit_identity = FILE:/Users/<username>/Library/IPA/laptop.crt,/Users/<username>/Library/IPA/laptop.key
    }

[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL