Enroll Mac in Kerberos: Difference between revisions

From Delft Solutions
Jump to navigation Jump to search
m (Protected "Enroll Mac in Kerberos": Security ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
No edit summary
Line 2: Line 2:
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
# Ensure /etc/krb5.conf file has the correct contents
== krb5.conf ==
<pre>
[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h
[appdefaults]
        pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
pkinit_identity = FILE:/etc/ipa/max.crt,/etc/ipa/max.key
    }
[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL
</pre>

Revision as of 03:58, 20 June 2024

  1. Create host on IPA
  2. Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
  3. On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
  4. Ensure /etc/krb5.conf file has the correct contents


krb5.conf

[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h

[appdefaults]
        pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
	pkinit_identity = FILE:/etc/ipa/max.crt,/etc/ipa/max.key
    }

[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL
Retrieved from "https://docs.delftsolutions.nl/index.php?title=Enroll_Mac_in_Kerberos&oldid=338"