Enroll Mac in Kerberos: Difference between revisions

From Delft Solutions
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 17: Line 17:
# Store the resulting certificate in ~/Library/IPA/user.crt
# Store the resulting certificate in ~/Library/IPA/user.crt
# Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username!
# Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username!
## alias ds_pkinit="kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>"
## alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>"
## ds_pkinit & disown
## ds_pkinit & disown


Latest revision as of 07:56, 12 February 2025

This will make your laptop automatically log you in to IPA. Only do this on machines that are exclusively used by you!

  1. Set bash as your default shell: New_Mac_Setup#Use_Bash_as_Shell
  2. Create host on IPA
  3. Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
  4. On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
  5. Ensure /etc/krb5.conf file has the correct contents.
  6. Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
  7. As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
  8. Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/user.key -out ~/Library/IPA/user.csr
  9. Go to your user in IPA
  10. Click on Actions > New Certificate
  11. CA = ipa
  12. Profile ID = caIPAserviceCert
  13. Paste the contents of this command into the big textfield: cat ~/Library/IPA/user.csr
  14. Request the certificate
  15. Store the resulting certificate in ~/Library/IPA/user.crt
  16. Add the following lines to your ~/.bash_profile. Make sure to replace <mac_username> with your Mac username and <ipa_username> with your IPA username!
    1. alias ds_pkinit="/usr/bin/kinit -C FILE:/Users/<mac_username>/Library/IPA/user.crt,/Users/<mac_username>/Library/IPA/user.key --keychain <ipa_username>"
    2. ds_pkinit & disown

krb5.conf

[libdefaults]
    default_realm = DELFTSOLUTIONS.NL
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true
    ticket_lifetime = 24h

[appdefaults]
    pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
    DELFTSOLUTIONS.NL = {
        default_domain = delftsolutions.nl
    }

[domain_realm]
    .delftsolutions.nl = DELFTSOLUTIONS.NL
    delftsolutions.nl = DELFTSOLUTIONS.NL
Retrieved from "https://docs.delftsolutions.nl/index.php?title=Enroll_Mac_in_Kerberos&oldid=549"