Enroll Mac in Kerberos: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you! | |||
# Set bash as your default shell: [[New_Mac_Setup#Use_Bash_as_Shell]] | |||
# Create host on IPA | # Create host on IPA | ||
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | # Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | ||
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | # On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | ||
# Ensure /etc/krb5.conf file has the correct contents | # Ensure /etc/krb5.conf file has the correct contents. | ||
# Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt | # Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt | ||
# As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA | # As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA | ||
# Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/ | # Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/user.key -out ~/Library/IPA/user.csr | ||
# Go to your user in IPA | # Go to your user in IPA | ||
# Click on Actions > New Certificate | # Click on Actions > New Certificate | ||
# CA = ipa | # CA = ipa | ||
# Profile ID = | # Profile ID = caIPAserviceCert | ||
# Paste the contents of this command into the big textfield: cat ~/Library/IPA/ | # Paste the contents of this command into the big textfield: cat ~/Library/IPA/user.csr | ||
# Request the certificate | # Request the certificate | ||
# Store the resulting certificate in ~/Library/IPA/ | # Store the resulting certificate in ~/Library/IPA/user.crt | ||
# Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username! | |||
## alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>" | |||
## ds_pkinit & disown | |||
== krb5.conf == | == krb5.conf == | ||
| Line 31: | Line 37: | ||
DELFTSOLUTIONS.NL = { | DELFTSOLUTIONS.NL = { | ||
default_domain = delftsolutions.nl | default_domain = delftsolutions.nl | ||
} | } | ||
Latest revision as of 06:56, 12 February 2025
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you!
- Set bash as your default shell: New_Mac_Setup#Use_Bash_as_Shell
- Create host on IPA
- Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
- On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
- Ensure /etc/krb5.conf file has the correct contents.
- Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
- As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
- Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/user.key -out ~/Library/IPA/user.csr
- Go to your user in IPA
- Click on Actions > New Certificate
- CA = ipa
- Profile ID = caIPAserviceCert
- Paste the contents of this command into the big textfield: cat ~/Library/IPA/user.csr
- Request the certificate
- Store the resulting certificate in ~/Library/IPA/user.crt
- Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username!
- alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>"
- ds_pkinit & disown
krb5.conf
[libdefaults]
default_realm = DELFTSOLUTIONS.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
ticket_lifetime = 24h
[appdefaults]
pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
DELFTSOLUTIONS.NL = {
default_domain = delftsolutions.nl
}
[domain_realm]
.delftsolutions.nl = DELFTSOLUTIONS.NL
delftsolutions.nl = DELFTSOLUTIONS.NL