Enroll Mac in Kerberos: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you! | |||
# Create host on IPA | # Create host on IPA | ||
# Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | # Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE"; | ||
# On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | # On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022 | ||
# Ensure /etc/krb5.conf file has the correct contents | # Ensure /etc/krb5.conf file has the correct contents. Make sure to replace <username> with your actual username! | ||
# Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt | # Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt | ||
# As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA | # As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA | ||
| Line 9: | Line 11: | ||
# Click on Actions > New Certificate | # Click on Actions > New Certificate | ||
# CA = ipa | # CA = ipa | ||
# Profile ID = | # Profile ID = caIPAserviceCert | ||
# Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr | # Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr | ||
# Request the certificate | # Request the certificate | ||
| Line 31: | Line 33: | ||
DELFTSOLUTIONS.NL = { | DELFTSOLUTIONS.NL = { | ||
default_domain = delftsolutions.nl | default_domain = delftsolutions.nl | ||
} | } | ||
Revision as of 07:02, 21 January 2025
This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you!
- Create host on IPA
- Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
- On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
- Ensure /etc/krb5.conf file has the correct contents. Make sure to replace <username> with your actual username!
- Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
- As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
- Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/laptop.key -out ~/Library/IPA/laptop.csr
- Go to your user in IPA
- Click on Actions > New Certificate
- CA = ipa
- Profile ID = caIPAserviceCert
- Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr
- Request the certificate
- Store the resulting certificate in ~/Library/IPA/laptop.crt
krb5.conf
[libdefaults]
default_realm = DELFTSOLUTIONS.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
ticket_lifetime = 24h
[appdefaults]
pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
DELFTSOLUTIONS.NL = {
default_domain = delftsolutions.nl
}
[domain_realm]
.delftsolutions.nl = DELFTSOLUTIONS.NL
delftsolutions.nl = DELFTSOLUTIONS.NL