Enroll Mac in Kerberos
Jump to navigation
Jump to search
- Create host on IPA
- Create a keytab on an enrolled host: TMPFILE="$(mktemp -u)"; ipa-getkeytab -s ipa.delftsolutions.nl -p host/<hostname> -k "$TMPFILE"; base64 -w0 "$TMPFILE" && echo; rm -f "$TMPFILE";
- On the mac as root, create the keytab: umask 026; base64 -D >/etc/krb5.keytab <<<"<key>"; umask 022
- Ensure /etc/krb5.conf file has the correct contents
- Download the ca.crt from the debian-delftsolutions-auth repository and place it in /etc/ipa/ca.crt
- As your normal user, create the certificates folder: mkdir ~/Library/IPA; chmod 700 ~/Library/IPA
- Create a certificate request, entering your username for the Common Name and a single dot for the other fields: openssl req -newkey rsa:4096 -nodes -keyout ~/Library/IPA/laptop.key -out ~/Library/IPA/laptop.csr
- Go to your user in IPA
- Click on Actions > New Certificate
- CA = ipa
- Profile ID = KDCs_PKINIT_Certs
- Paste the contents of this command into the big textfield: cat ~/Library/IPA/laptop.csr
- Request the certificate
- Store the resulting certificate in ~/Library/IPA/laptop.crt
krb5.conf
[libdefaults]
default_realm = DELFTSOLUTIONS.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
ticket_lifetime = 24h
[appdefaults]
pkinit_anchors = FILE:/etc/ipa/ca.crt
[realms]
DELFTSOLUTIONS.NL = {
default_domain = delftsolutions.nl
pkinit_identity = FILE:/Users/<username>/Library/IPA/laptop.crt,/Users/<username>/Library/IPA/laptop.key
}
[domain_realm]
.delftsolutions.nl = DELFTSOLUTIONS.NL
delftsolutions.nl = DELFTSOLUTIONS.NL