Enroll Mac in Kerberos: Difference between revisions

1. Create host on IPA
2. Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
3. On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
4. Ensure /etc/krb5.conf file has the correct contents

krb5.conf

[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h

[appdefaults]
    pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
        pkinit_identity = FILE:/etc/ipa/max.crt,/etc/ipa/max.key
    }

[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL