SCOPE: PAGE IS APPLICABLE TO IPAv1 ONLY.
work in progress..
IPA Server Configuration
IPA Client Configuration
Follow this guide. I found the step-by-step description to be very useful. http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/default.aspx
Specifically for Kerberos Configuration , follow this. No changes. http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/kerberosauthentication.aspx Specifically for LDAP Client Configuration, follow this. There are some changes, which are described below. http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/ldapauthorization.aspx
PrimaryGroupID - use gidNumber attribute from LDAP UniqueID - use uidNumber attribute from LDAP
- Open the "Date&Time" utility and point it to the ipaserver.example.com to set the date and time automatically.
- Attempt to get a kerberos ticket.
kinit admin klist ( to verify )
if you have a valid kerberos ticket, ssh would proceed with GSSAPI auth without asking for a password.
- ssh firstname.lastname@example.org
- On the MAC system console, login as an ipa user with its password. Once logged in , open a terminal and try these commands:
id ( look for userid and group id correctness )
- After login, if you have kerberos configured, make sure you have a valid kerberos ticket. klist will help here.
TBD. not sure what status this code is in. I'm not able to find any docs for this from apple.
Browser - firefox
Do the normal kerberos configuration for firefox. Open firefox. goto about:config set network.negotiate-auth.delegation-uris to .example.com set network.negotiate-auth.trusted-uris to .example.com
Goto https://ipaserver.example.com If you have a valid kerberos ticket, you should be authenticated at this point.