ConfiguringMACOSXTigerClient#

IPA Client Configuration#

setup#

`` Follow this guide. I found the step-by-step description to be very useful.``
`` \ ```http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx <http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx>`__
`` Specifically for Kerberos Configuration , follow this. No changes.``
``  \ ```http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/kerberosauthentication.aspx <http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/kerberosauthentication.aspx>`__
`` ``
`` Specifically for LDAP Client Configuration, follow this.``
`` There are some changes, which are described below.``
``  \ ```http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/ldapauthorization.aspx <http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/ldapauthorization.aspx>`__
``  PrimaryGroupID - use gidNumber attribute from LDAP``
``  UniqueID - use uidNumber attribute from LDAP``

NTP#

  • Open the “Date&Time” utility and point it to the ipaserver.example.com to set the date and time automatically.

kinit#

  • Attempt to get a kerberos ticket.

``   kinit admin``
``   klist ( to verify )``

ssh#

`` if you have a valid kerberos ticket, ssh would proceed with GSSAPI``
`` auth without asking for a password.``

system login#

  • On the MAC system console, login as an ipa user with its password. Once logged in , open a terminal and try these commands:

id ( look for userid and group id correctness )

  • After login, if you have kerberos configured, make sure you have a valid kerberos ticket. klist will help here.

nfsv4/kerberos#

TBD. not sure what status this code is in. I'm not able to find any docs for this from apple.

Browser - firefox#

| ``Do the normal kerberos configuration for firefox. ``
| ``Open firefox. goto ``\ ```about:config`` <about:config>`__
| `` set network.negotiate-auth.delegation-uris to .example.com``
| `` set network.negotiate-auth.trusted-uris to .example.com``

| ``Goto ``\ ```https://ipaserver.example.com`` <https://ipaserver.example.com>`__
| ``If you have a valid kerberos ticket, you should be authenticated at this point.``