Users cannot get past the os-x login screen. First time login user gets the password change dialog pop-up at the login screen (so yes - they can authenticate), but cannot update their password.
If I login as another user (myself), then kinit as this user - I can authenticate with their one time password, then am prompted to change the password (and it does.)
grant@iotrashcan03:~[20161227-10:51][#4]% kinit user3 user3@PRODUCTION.EFILM.COM's password: Password has expired Changing password New password: ******** Repeat new password: ******** Success grant@iotrashcan03:~[20161227-10:52][#5]% klist Credentials cache: API:DD52CBE1-0738-42D1-9F94-92F0A43F3766 Principal: user3@PRODUCTION.EFILM.COM Issued Expires Principal Dec 27 10:51:55 2016 Dec 28 10:51:19 2016 krbtgt/PRODUCTION.EFILM.COM@PRODUCTION.EFILM.COM grant@iotrashcan03:~[20161227-10:52][#6]%
After that, the new user can authenticate at the login screen - but they open to a blank desktop. No home directory is created. I am unable to create home directories in the conventional way.
grant@iotrashcan03:/var/setup[20161227-10:56][#13]% sudo createhomedir -c -a creating home directories for (iotrashcan03.production.efilm.com) Entity: line 1: parser error : Document is empty /Users/hayesl ^ Entity: line 1: parser error : Document is empty /Users/pangs ^ Entity: line 1: parser error : Document is empty /Users/user1 ^ Entity: line 1: parser error : Document is empty /Users/user3 ^ Entity: line 1: parser error : Document is empty /Users/user4 ^ [ this repeats for all users in the IPA directory ] grant@iotrashcan03:/var/setup[20161227-10:56][#14]%
createhomedir behaved the same even after I kinit as myself (full adminstrative rights).
My issues appear to revolve around an LDAP mapping issue. Kerberos tickets are granted with kinit from the command line - so krb is fine. It’s just some ’thing’ in opendirectory.
CONFIGURATION:
grant@iotrashcan03:/var/setup[20161227-8:04][#8]% sudo odutil show configuration /LDAPv3/ef-idm01.production.efilm.com { description = "production.efilm.com"; mappings = { attributes = ( objectClass ); function = "ldap:translate_recordtype"; recordtypes = { "dsRecTypeStandard:Groups" = { attributetypes = { "dsAttrTypeStandard:GroupMembership" = { native = memberUID; }; "dsAttrTypeStandard:PrimaryGroupID" = { native = gidNumber; }; "dsAttrTypeStandard:RecordName" = { native = cn; }; }; info = { "Group Object Classes" = OR; "Object Classes" = ( posixgroup ); "Search Base" = "cn=groups,cn=accounts,dc=production,dc=efilm,dc=com"; }; }; "dsRecTypeStandard:Users" = { attributetypes = { "dsAttrTypeStandard:AuthenticationAuthority" = { native = uid; }; "dsAttrTypeStandard:GeneratedUID" = { native = "#F1902EBE-4528-401D-9437-50$uidNumber$"; }; "dsAttrTypeStandard:HomeDirectory" = { native = "#/Users/$uid$"; }; "dsAttrTypeStandard:NFSHomeDirectory" = { native = "#/Users/$uid$"; }; "dsAttrTypeStandard:PrimaryGroupID" = { native = gidNumber; }; "dsAttrTypeStandard:RealName" = { native = cn; }; "dsAttrTypeStandard:RecordName" = { native = uid; }; "dsAttrTypeStandard:UniqueID" = { native = uidNumber; }; "dsAttrTypeStandard:UserShell" = { native = loginShell; }; }; info = { "Group Object Classes" = OR; "Object Classes" = ( inetOrgPerson ); "Search Base" = "dc=production, dc=efilm, dc=com"; }; }; }; }; "module options" = { AppleODClient = { "Server Mappings" = 0; }; ldap = { "Denied SASL Methods" = ( "DIGEST-MD5" ); "LDAP Referrals" = 0; "Use DNS replicas" = 0; }; }; "node name" = "ef-idm01.production.efilm.com"; options = { "connection idle disconnect" = 60; "connection setup timeout" = 10; destination = { host = "ef-idm01.production.efilm.com"; other = ldap; port = 389; }; "man-in-the-middle" = 0; "no cleartext authentication" = 0; "packet encryption" = 1; "packet signing" = 1; "query timeout" = 10; }; template = LDAPv3; trusttype = anonymous; uuid = "3516F40F-AABB-4F33-ADC3-4E2F678ABF5D"; } grant@iotrashcan03:/var/setup[20161227-8:04][#9]% cat /etc/pam.d/authorization # authorization: auth account auth optional pam_krb5.so use_first_pass use_kcminit default_principal auth sufficient pam_krb5.so use_first_pass default_principal auth optional pam_ntlm.so use_first_pass auth required pam_opendirectory.so use_first_pass nullok account required pam_opendirectory.so grant@iotrashcan03:/var/setup[20161227-8:04][#10]% cat /Library/Preferences/edu.mit.Kerberos [domain_realm] .production.efilm.com = PRODUCTION.EFILM.COM production.efilm.com = PRODUCTION.EFILM.COM [realms] PRODUCTION.EFILM.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [libdefaults] default_realm = PRODUCTION.EFILM.COM allow_weak_crypto = yes dns_lookup_realm = false dns_lookup_kdc = true rdns = true ticket_lifetime = 24h forwardable = yes renewable = true grant@iotrashcan03:/var/setup[20161227-8:05][#11]%
SRV records are served via DNS, so a lean /Library/Preferences/edu.mit.Kerberos file is not my issue.
host keytab was generated on IPA master and copied to host. host has a kerberos principal (though I doubt kerberos is my issue).
grant@ef-idm01:~[20161230-7:09][#85]$ ipa host-show iotrashcan02.production.efilm.com Host name: iotrashcan02.production.efilm.com Principal name: host/iotrashcan02.production.efilm.com@PRODUCTION.EFILM.COM MAC address: 00:60:DD:43:18:CE Password: False Keytab: True Managed by: iotrashcan02.production.efilm.com SSH public key fingerprint: C2:71:DC:6B:DA:E6:90:D8:DE:84:03:69:32:70:EA:ED (ssh-dss), 7D:A4:CB:E1:5C:41:47:65:DE:0A:F6:41:E5:9E:26:44 (ssh-rsa) grant@ef-idm01:~[20161230-7:09][#86]$
What do you suppose I missed? I am suspecting an LDAP -> OpenDirectory mapping issue. But I feel like I've already tried "everything"
This bug is more a question. I'd suggest to post it on freeipa-users mailing list where more people who has experience with such setup can answer. https://www.redhat.com/mailman/listinfo/freeipa-users
I'd like to help you, but unfortunately we don't have an answer for you. Mainly because we don't test with OSX.
Given that we don't where is the issue - if it is in FreeIPA or somewhere else, I'm going to close this ticket.
If you or somebody else find a bug to be fixed in FreeIPA which is needed for the setup to run then please reopen or file a new ticket.
Metadata Update from @gjanssen: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.