FreeIPA and MacOS Sanoma

Hi All,

I have been attempting to setup FreeIPA using Rocky Linux 9.4 and have joined Windows 11, Ubuntu 22.04, and Rocky Linux 9.4 Clients. Everything seems to work correctly. I am having issues trying to join MacOS Sanoma to the Domain/REALM but regardless of what I do I can’t get the MacOS to authenticate or login with FreeIPA user accounts. The MacOS clients are enrolled in FreeIPA and I have manually configured the systems config files based on this article which seems like the most recent on the Internet. FreeIPA - Linux Guide and Hints

Does anyone have MacOS Sonoma working with FreeIPA?
Can anyone point me to a working configuration guide?

Best regards,
Greg

I am the maintainer of that website. My mac, running Sonoma, has no issues authenticating with my FreeIPA domain.

What exactly are you getting stuck on? Did you follow the steps thoroughly, including for “Ventura and likely newer”? Have you tried to look at the logs or run the necessary directory utility commands to troubleshoot your issue? killall -USR1 DirectoryService should put it into debug mode to generate logs for you to read in the Console app or in /var/log and /Library/Logs.

Hi Louis,

I have tried steps for Ventura and newer. I have also tried the command above and I get a message saying “No running processes belonging to you were found.” It’s really strange, I can do kinit with any user from the IPA domain and I get a valid ticket. I also get prompted when I need to change passwords and it works perfectly. When I search the directory tab on Directory Editor tab in the Directory Utility I can see the users from the domain without it being authenticated. When I try authenticate by clicking on the lock no credentials I enter are accepted. I keep getting this error “Credentials could not be verified, user name and password is invalid (5000)”. I’m not sure if the Base DN is correct. Should I be using the format (dc=server,dc=company,dc=net) or (dc=company, dc=net) Is there a way to configure the client with the dsconfigad tool?

This shows that kerberos is working. Unfortunately kerberos working does not mean the LDAP portion will work right away.

The base dn will match what your realm name is. E.g., dn=angelsofclockwork,dc=net would be mine. If you are able to see your users and groups in the directory utility, then your base dn has been configured correctly.

FreeIPA is not active directory, so that command will not work.

This might have something to do with securetoken. Typically this is established when the user first logs in at the login screen (this includes users from an LDAP and in this case FreeIPA) or when you are creating a mobile account. If you’re not able to login as an IPA user at the login screen or create the mobile account, the logs could tell you why (see log stream --process opendirectoryd). Looking at the logs would also indicate something about securetoken. It may be worth a look.

You could try to run sysadminctl -adminUser "..." -adminPassword "..." -secureTokenOn "ipauser" -password "ipapassword" and see if that helps too. I was not required to run this on my mac (it’s not in my root history). I believe this was established for me when using createmobileaccount.

Hi Louis,

I have tried the log stream --process opendirectoryd and it works really well. You were correct when you said I would see securetoken failures’. I am also seeing a lot of issues related to DNS resolution. I have removed all DNS servers in my test network except for IPA’s built-in DNS server to eliminate the other BIND servers from the problem while troubleshooting. I seem to be getting errors related to the directory BIND. could you confirm what format your security tab looks like? Is “Use authentication when connecting” enabled? Under the Distinguished Name are you pointing to an admin user or your own account to read the directory? in DN I have used the following format (uid=asmith,cn=users,cn=accounts,dc=fathom,dc=org) It accepts the account and password but I can’t read the directory and it says not authenticated on the lock icon.

I also tried your other suggestion and it says "No event, “secureTokenOn “asmith” -password “ipauserpassword””.

Maybe you can understand this error in the log?

2024-06-21 13:24:17.057031+0100 0x67cd Error 0xecfe 117 0 opendirectoryd: (ldap) [com.apple.opendirectoryd:session] failed to retrieve password for credential
2024-06-21 13:24:17.057370+0100 0x67b0 Default 0xecfe 117 0 opendirectoryd: (Network) [com.apple.network:path] nw_path_libinfo_path_check [AAC9D755-6504-4638-9814-7E66B42C6CBD Hostname#0668ae67:389 tcp, legacy-socket, attribution: developer]
libinfo check path: satisfied (Path is satisfied), interface: en6, ipv4, dns
2024-06-21 13:24:17.058545+0100 0x67b0 Error 0xecfe 117 0 opendirectoryd: (ldap) [com.apple.opendirectoryd:session] failed to retrieve password for credential
2024-06-21 13:24:17.058601+0100 0x65ab Default 0xecfe 117 0 opendirectoryd: [com.apple.opendirectoryd:session] /LDAPv3/ipa.company.org: failed to connect: 2100
2024-06-21 13:24:17.058794+0100 0x65ab Default 0xecfe 117 0 opendirectoryd: [com.apple.opendirectoryd:session] ODNodeCreateWithNameAndOptions failed with result ODErrorNodeConnectionFailed
2024-06-21 13:24:17.467560+0100 0x7d9 Activity 0xed05 117 0 opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-21 13:24:17.941993+0100 0x7d9 Activity 0xed06 117 0 opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-21 13:24:33.682630+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] While verifying password: user (EE9CADB0-5A27-4AE1-833E-BFFC39514C09) a SecureToken user
2024-06-21 13:24:33.682677+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] While verifying password: user (EE9CADB0-5A27-4AE1-833E-BFFC39514C09) a ShadowHash user
2024-06-21 13:24:33.682701+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] While verifying password: using both SecureToken and ShadowHash
2024-06-21 13:24:33.684041+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Access token exists and is already bound
2024-06-21 13:24:33.699242+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Successful SecureToken authentication for EE9CADB0-5A27-4AE1-833E-BFFC39514C09 console domain
2024-06-21 13:24:33.824366+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Verified password for (EE9CADB0-5A27-4AE1-833E-BFFC39514C09): SecureToken (ODNoError), Shadowhash (ODNoError)
2024-06-21 13:24:33.824398+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Verified password for (EE9CADB0-5A27-4AE1-833E-BFFC39514C09): SecureToken and Shadowhash results match
2024-06-21 13:24:33.824661+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (libxpc.dylib) [com.apple.xpc:connection] [0x12f78e8f0] activating connection: mach=false listener=false peer=false name=com.apple.AccountPolicyHelper
2024-06-21 13:24:33.825009+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (libxpc.dylib) [com.apple.xpc:connection] [0x12f78e8f0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
2024-06-21 13:24:33.825033+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record “”, record type “dsRecTypeStandard:Users”: Success
2024-06-21 13:24:33.825062+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:policy] AccountPolicy: Authentication allowed
2024-06-21 13:24:33.825095+0100 0x65ab Default 0xef99 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication succeeded for (EE9CADB0-5A27-4AE1-833E-BFFC39514C09): ODNoError
2024-06-21 13:24:33.832493+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Verifier state for EE9CADB0-5A27-4AE1-833E-BFFC39514C09 console domain: success
2024-06-21 13:24:33.832630+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (libxpc.dylib) [com.apple.xpc:connection] [0x12f69c0d0] activating connection: mach=false listener=false peer=false name=com.apple.AccountPolicyHelper
2024-06-21 13:24:33.832886+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (libxpc.dylib) [com.apple.xpc:connection] [0x12f69c0d0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel()
2024-06-21 13:24:33.832907+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record “”, record type “dsRecTypeStandard:Users”: Success
2024-06-21 13:24:33.832934+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:policy] AccountPolicy: Authentication allowed
2024-06-21 13:24:33.832962+0100 0x6912 Default 0xefa4 117 0 opendirectoryd: (PlistFile) [com.apple.opendirectoryd:auth] Authentication allowed by SecureToken and account policy for
2024-06-21 13:24:37.702126+0100 0x65ab Default 0xf02a 117 0 opendirectoryd: (Network) [com.apple.network:path] nw_path_libinfo_path_check [E4AE5093-1D7B-417F-A19C-7243F1F9357A Hostname#0668ae67:389 tcp, legacy-socket, attribution: developer]
libinfo check path: satisfied (Path is satisfied), interface: en6, ipv4, dns
2024-06-21 13:24:37.722553+0100 0x6912 Error 0xf02b 117 0 opendirectoryd: [com.apple.opendirectoryd:default] Failed to open file [2: No such file or directory]
2024-06-21 13:24:37.722649+0100 0x6912 Error 0xf02b 117 0 opendirectoryd: [com.apple.opendirectoryd:default] Failed to open file [2: No such file or directory]

This is another section that’s strange and has errors.

Blockquote
2024-06-21 13:23:44.807529+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Heimdal) [com.apple.Heimdal:libkrb5] krb5_sendto_context COMPANY.ORG done: 0 hosts 1 packets 1 wc: 0.007692 nr: 0.001282 kh: 0.000467 tid: 00020001
2024-06-21 13:23:44.807574+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Heimdal) [com.apple.Heimdal:libkrb5] krb5_get_init_creds: loop 2
2024-06-21 13:23:44.807602+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Heimdal) [com.apple.Heimdal:libkrb5] krb5_get_init_creds: processing input
2024-06-21 13:23:44.807629+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Heimdal) [com.apple.Heimdal:libkrb5] krb5_get_init_creds: got an KRB-ERROR from KDC
2024-06-21 13:23:44.807667+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Heimdal) [com.apple.Heimdal:libkrb5] krb5_get_init_creds: KRB-ERROR -1765328378/Error from KDC: CLIENT_NOT_FOUND
2024-06-21 13:23:44.807710+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: [com.apple.opendirectoryd:auth] Failed kerberos password verification for (null),
2024-06-21 13:23:44.909935+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (ldap) [com.apple.opendirectoryd:auth] failed CRAM-MD5 authentication for authzid - ‘’ authcid - ‘’ error 49
2024-06-21 13:23:44.910683+0100 0x65ab Default 0xeb27 117 0 opendirectoryd: (Network) [com.apple.network:path] nw_path_evaluator_start [9F860654-0622-4350-A056-5D40E8AC1368 IPv4#cfd9357e:389 generic, local: 10.0.129.248:49308, attribution: developer]
path: satisfied (Path is satisfied), interface: en6, scoped, ipv4, dns
Blockquote

My security tab is completely empty. I do not have a DN set.

Perhaps this will work instead. Replace <ipa_user> with your IPA user name and <local_admin_account> with the name of the local admin user on your mac. It’ll ask for passwords interactively.

/usr/sbin/sysadminctl -secureTokenOn <ipa_user> -password - -adminUser <local_admin_account> -adminPassword -

I’m not sure if these are red herrings, but they imply that the kerberos ticket at /etc/krb5.keytab is not valid. Two things I would verify is the permissions and that you can kinit with the keytab and perform an ldapsearch.

The reason the permissions came to mind is that I didn’t document the proper permissions for Ventura and higher.

lani:~ root# chown root:_keytabusers /etc/krb5.keytab
lani:~ root# chmod 640 /etc/krb5.keytab

You can try to perform an ldapsearch with a keytab like this. Replace your domain/realm and hostname as needed.

lani:~ root# ktutil --keytab=/etc/krb5.keytab list | grep ANGELS
  3  aes256-cts-hmac-sha1-96  host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  3  aes128-cts-hmac-sha1-96  host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
lani:~ root# kinit --keytab=/etc/krb5.keytab -f host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
lani:~ root# klist
Credentials cache: API:CDA6937B-825F-4B7B-9C41-11AB91C38DFF
        Principal: host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET

  Issued                Expires               Principal
Jun 21 08:32:11 2024  Jun 22 08:32:11 2024  krbtgt/ANGELSOFCLOCKWORK.NET@ANGELSOFCLOCKWORK.NET
lani:~ root# ldapsearch -h ipa01.angelsofclockwork.net uid=admin uid
SASL/GSSAPI authentication started
SASL username: host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=admin
# requesting: uid
#

# admin, users, compat, angelsofclockwork.net
dn: uid=admin,cn=users,cn=compat,dc=angelsofclockwork,dc=net
uid: admin

# admin, users, accounts, angelsofclockwork.net
dn: uid=admin,cn=users,cn=accounts,dc=angelsofclockwork,dc=net
uid: admin

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 2

What I would suggest is if you are still struggling to start completely over. You can do this by clearing out all network servers in users & groups, cleaning the krb5.conf file, and rebooting. The keytab can stay if it is valid.

I’ve found that sometimes starting clean is the best option to solving some of these problems. See below where I perform a clean macOS install with IPA authentication.

I went through my guide on a macOS VM to verify if there is a missing step somewhere.

Setting the hostname and getting the CA.

Screenshot 2024-06-21 at 09.00.24750×511 54.7 KB

Creating the host and keytab in IPA.

[label@ipa01 ~]$ ipa host-add macvm.angelsofclockwork.net --force
----------------------------------------
Added host "macvm.angelsofclockwork.net"
----------------------------------------
  Host name: macvm.angelsofclockwork.net
  Principal name: host/macvm.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  Principal alias: host/macvm.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  Password: False
  Member of host-groups: allhosts
  Indirect Member of netgroup: allhosts
  Keytab: False
  Managed by: macvm.angelsofclockwork.net
[label@ipa01 ~]$ ipa-getkeytab -s ipa01.angelsofclockwork.net -p host/macvm.angelsofclockwork.net -k /tmp/krb5.keytab
Keytab successfully retrieved and stored in: /tmp/krb5.keytab
[label@ipa01 ~]$ chown label:label /tmp/krb5.keytab
[label@ipa01 ~]$

Bringing over the keytab, configuring kerberos, and testing. (Instead of 600, I use 640 and root:_keytabusers, I believe I forgot to document this properly)

I left PAM configured with the defaults for now. We’re just trying to login as an IPA user.

Adding one of my IPA servers to the users & groups settings. This shows green, so it’s connected.

I open the directory utility and click the “lock”. I click LDAP, click the pencil. Here I set the mappings to rfc2307 and put in my base DN. Here I purposely use cn=accounts,… because I have a compat tree and don’t want that to be used.

Clicked edit, went to search & mappings, and made the relevant changes. Also verified the search policy.

Screenshot 2024-06-21 at 09.21.20543×523 38 KB

Screenshot 2024-06-21 at 09.21.59540×523 37.6 KB

Screenshot 2024-06-21 at 09.22.55542×527 33.7 KB

Screenshot 2024-06-21 at 09.24.06544×531 30.9 KB

Screenshot 2024-06-21 at 09.24.57538×524 31.1 KB

Screenshot 2024-06-21 at 09.25.13544×529 32.4 KB

Screenshot 2024-06-21 at 09.26.31535×520 32.3 KB

Screenshot 2024-06-21 at 09.27.20817×636 44.2 KB

On the lock screen, I turned on “name and password”.

Screenshot 2024-06-21 at 09.28.25767×128 38.2 KB

I verified dscacheutil sees the user.

I go ahead and log out and at this point, I try to login with my IPA user for the first time. It takes a moment, but I am eventually given the beginning setup screen.

Screenshot 2024-06-21 at 09.47.51828×620 39.4 KB

I went through the setup, and now I’m at the desktop.

Screenshot 2024-06-21 at 09.48.371628×1015 208 KB

At this point, I need to create the mobile account, and make the account an admin. I also want to make sure my IPA user is allowed to perform system updates (this requires the use of sysadminctl like earlier - I don’t do this on my own mac, but I am showing it as an example).

I think I found an error with the encryption types when I use the ktutil command and I read the /etc/krb5.keytab file. It says there are two unknown encryption types.

macos:~ root# ktutil --keytab=/etc/krb5.keytab list | grep companyname.org
  1  unknown (20)             host/macos.companyname.org@COMPANYNAME.ORG  
  1  unknown (19)             host/macos.companyname.org@COMPANYNAME.ORG  
  1  aes256-cts-hmac-sha1-96 host/macos.companyname.org@COMPANYNAME.ORG  
  1  aes128-cts-hmac-sha1-96  host/macos.companyname.org@COMPANYNAME.ORG  

So I ran this as suggested but I get the following error saying the user ipa_user can’t be found even though I manually do a kinit as the ipa_user and get a ticket.

macos:~ root# klist
Credentials cache: API:4A5BA7A1-6ABD-486D-9F3C-E9A72DCFD99A
        Principal: asmith@COMPANYNAME.ORG

  Issued                Expires               Principal
Jun 24 13:23:14 2024  Jun 25 12:27:46 2024  krbtgt/COMPANYNAME.ORG@COMPANYNAME.ORG
macos:~ root# /usr/sbin/sysadminctl -secureTokenOn asmith -password - -adminUser localadmin -adminPassword -
Enter password for localadmin :
2024-06-24 13:24:28.570 sysadminctl[1605:39484] Unknown user asmith

[quote=“nazunalika, post:8, topic:14665”]
ldapsearch -h ipa01.angelsofclockwork.net uid=admin uid

[/quote macos:~ root# ldapsearch -h ipa.fathom.org uid=asmith uid

SASL/GSSAPI authentication started

SASL username: host/macos.companyname.org@COMPANYNAME.ORG

SASL SSF: 112

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <> (default) with scope subtree

# filter: uid=asmith

# requesting: uid

#

# asmith, users, compat, companyname.org

dn: uid=asmith,cn=users,cn=compat,dc=companyname,dc=org

uid: asmith

# asmith, users, accounts, companyname.org

dn: uid=asmith,cn=users,cn=accounts,dc=companyname,dc=org

uid: asmith

# search result

search: 5

result: 0 Success

# numResponses: 3

# numEntries: 2

macos:~ root#

I get the above. What exactly is a compat?

I had already added the ca.crt but tried deleting and adding it again. It adds it but then I need to manually open Keychain access and set it to a trusted certificate.

macos:~ root# sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/ipa/ca.crt
SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible.

These are the latest errors I am getting from the log stream.

Last login: Mon Jun 24 15:34:05 on console
localadmin@macos ~ % log stream --process opendirectoryd                   
Filtering the log data using "process BEGINSWITH[cd] "opendirectoryd""
Timestamp                       Thread     Type        Activity             PID    TTL  
2024-06-24 15:34:37.512947+0100 0xde8      Activity    0x28a6d              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:34:37.513475+0100 0xde8      Activity    0x28a6e              333    0    opendirectoryd: (SystemCache) Kernel: kauth_map_identifier
2024-06-24 15:34:40.660246+0100 0xde8      Activity    0x28a6f              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:34:40.660865+0100 0xde8      Activity    0x2aeb0              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:34:51.565709+0100 0xbbf7     Default     0x2b4e1              333    0    opendirectoryd: [com.apple.opendirectoryd:session] ODNodeCopySubnodeNames failed with result ODErrorPluginOperationNotSupported
2024-06-24 15:35:05.209768+0100 0xde8      Activity    0x2aeb1              333    0    opendirectoryd: (SystemCache) Kernel: kauth_map_identifier
2024-06-24 15:35:08.197316+0100 0xde8      Activity    0x2aeb2              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:35:08.197577+0100 0xde8      Activity    0x2aeb3              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:35:37.709357+0100 0xc854     Default     0x2be89              333    0    opendirectoryd: [com.apple.opendirectoryd:session] getpwnam failed with result Not Found
2024-06-24 15:35:39.353613+0100 0xde8      Activity    0x2aeb4              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:35:51.375668+0100 0xc854     Default     0x0                  333    0    opendirectoryd: (Network) [com.apple.network:path] nw_path_evaluator_cancel [C6FC11FC-BBC3-4DD4-98BC-82F3D43DBF57] cancel
2024-06-24 15:36:07.816988+0100 0xde8      Activity    0x2aeb5              333    0    opendirectoryd: (SystemCache) Kernel: kauth_map_identifier
2024-06-24 15:36:08.355858+0100 0xde8      Activity    0x2aeb6              333    0    opendirectoryd: (SystemCache) Kernel: kauth_membership_check
2024-06-24 15:36:28.008251+0100 0xde8      Activity    0x2aeb7              333    0    opendirectoryd: (SystemCache) Kernel: kauth_map_identifier

This means the directory utility is unable to sync or perform searches in IPA’s directory. So the user does not exist on the system. This is likely due to a misconfiguration.

The “compat” (compatibility) tree is exactly as it sounds. It’s an entirely separate tree that is generated automagically from current users and groups in cn=accounts that is more or less for “legacy” clients that do not understand rfc2307bis. However, this tree does not provide all users and groups right away, meaning they only show up requested on a search. This is why I avoid using it on mac clients.

Ok so I managed to get everything working now by doing the following.

The issue you’re encountering is due to the presence of unknown encryption types in the Kerberos keytab. These unknown encryption types (with identifiers 19 and 20) correspond to encryption types that might not be recognized by your current Kerberos setup. Here’s a step-by-step guide to fix this issue:

Step 1: Identify the Unknown Encryption Types

Kerberos encryption types are defined by specific numbers. In your output:

• unknown (19) typically corresponds to AES256-CTS-HMAC-SHA384-192 (supported by newer Kerberos implementations).
• unknown (20) typically corresponds to AES128-CTS-HMAC-SHA256-128 (also supported by newer implementations).

Since these types are unknown, it suggests that your Kerberos implementation or the libraries in use do not recognize or support these newer encryption types.

Step 2: Update Kerberos Libraries

Ensure that your Kerberos libraries on the MacOS system are up to date. You can update the libraries using Homebrew if it is installed.

brew update
brew upgrade krb5

Alternatively, ensure that your MacOS system is updated to the latest version, as this can also update the underlying libraries.

Step 3: Regenerate the Keytab File

If updating the libraries does not resolve the issue, you may need to regenerate the keytab file on your FreeIPA server, ensuring it uses supported encryption types.

1. Login to your FreeIPA server:

ssh adminuser@freeipa-server.companyname.org

2. Regenerate the keytab file:

Use the following command to generate a new keytab file with specific encryption types.

ipa-getkeytab -s freeipa-server.companyname.org -p host/macos.companyname.org@COMPANYNAME.ORG -k /tmp/macos.keytab -e aes256-cts,aes128-cts

3. Transfer the keytab to your MacOS system:

scp /tmp/macos.keytab macos-user@macos.companyname.org:/etc/krb5.keytab

Step 4: Verify the Keytab File

On your MacOS system, verify the new keytab file to ensure the unknown encryption types are resolved.

ktutil --keytab=/etc/krb5.keytab list | grep companyname.org

You should see only recognized encryption types such as aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

Step 5: Test the Kerberos Authentication

Finally, test the Kerberos authentication to ensure everything is functioning correctly.

kinit host/macos.companyname.org@COMPANYNAME.ORG
klist

If everything is set up correctly, you should see a valid Kerberos ticket.

So I found the above fix using Open AI. Now I have a different issue. When I reboot I am unable to login as the network account even though it’s still listed in /Users/asmith. The only way I am able to get the login working again is to run “kinit host/macos.companyname.org@COMPANYNAME.ORG” so that the host gets a Kerberos ticket. Once I have run this command as the local user and I log out and back in as the network account I am able to work as expected until I log out. I have no idea why this is happening since the account is a network account and an admin user and the IPA server is available even when I can’t log back in. Do you have any idea what could be causing this?

I tried OpenAI again to see if there were any pointers regarding the need to login with a local account to obtain a new Kerberos ticket before each network login and it said the following.

The issue where you need to manually run kinit each time before logging in suggests that the Kerberos ticket is not being automatically acquired or renewed during the login process. This typically indicates a configuration issue with how Kerberos is being handled during the MacOS login.

Here are several steps you can take to ensure that Kerberos tickets are properly managed during login:

### Step 1: Ensure SSSD is Configured Properly
If you are using SSSD (System Security Services Daemon) to manage authentication, ensure it is configured correctly. 

1. **Install SSSD (if not already installed)**:
   ```bash
   brew install sssd

2. Configure SSSD:
   Edit the /etc/sssd/sssd.conf file to include the Kerberos domain and other settings:

   [sssd]
   services = nss, pam
   config_file_version = 2
   domains = companyname.org
   
   [domain/companyname.org]
   id_provider = ipa
   auth_provider = ipa
   chpass_provider = ipa
   ipa_server = _srv_, freeipa-server.companyname.org
   ipa_domain = companyname.org
   krb5_realm = COMPANYNAME.ORG
   krb5_store_password_if_offline = True
   cache_credentials = True
   [pam]
   reconnection_retries = 3
   
   [nss]
   entry_cache_timeout = 300
   

3. Set Permissions:

   sudo chmod 600 /etc/sssd/sssd.conf
   sudo chown root:root /etc/sssd/sssd.conf
   

4. Start and Enable SSSD:

   sudo launchctl load -w /Library/LaunchDaemons/org.freedesktop.sssd.plist
   sudo sssd -i
   

Step 2: Configure PAM to Use Kerberos

Ensure that the Pluggable Authentication Modules (PAM) system is configured to use Kerberos.

1. Edit the PAM Configuration:
   Edit the /etc/pam.d/login file (or /etc/pam.d/sshd if logging in via SSH):

   sudo vim /etc/pam.d/login
   

2. Add the Kerberos Module:
   Add the following lines to ensure Kerberos is used for authentication:

   auth       required     pam_krb5.so
   account    required     pam_krb5.so
   session    optional     pam_krb5.so
   password   required     pam_krb5.so
   

Step 3: Enable Automatic Ticket Renewal

Ensure that Kerberos tickets are automatically renewed.

1. Edit the krb5.conf:
   Edit the /etc/krb5.conf file to enable ticket renewal:

   [libdefaults]
       renew_lifetime = 7d
       forwardable = true
       rdns = false
       default_realm = COMPANYNAME.ORG
       ticket_lifetime = 24h
   

Step 4: Verify and Restart Services

After making these changes, restart the necessary services and verify the configuration:

1. Restart SSSD:

   sudo launchctl unload /Library/LaunchDaemons/org.freedesktop.sssd.plist
   sudo launchctl load /Library/LaunchDaemons/org.freedesktop.sssd.plist
   

2. Restart Kerberos Services:

   sudo launchctl unload /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist
   sudo launchctl load /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist
   

Step 5: Test the Configuration

1. Reboot the MacOS System to ensure all changes take effect.

2. Attempt Login:

   • Log out and attempt to log back in as a domain user without running kinit manually.
   • If login fails, check the Kerberos tickets and SSSD logs for any errors:

     klist
     sudo tail -f /var/log/sssd/sssd_*.log
     sudo tail -f /var/log/krb5kdc.log
     

Additional Debugging

If the issue persists, consider the following:

1. Review System Logs:
   Check system logs for any errors related to PAM, SSSD, or Kerberos:

   sudo tail -f /var/log/system.log
   

2. Consult FreeIPA Logs:
   Ensure that the FreeIPA server logs do not show any issues with the host or user authentication:

   sudo tail -f /var/log/httpd/error_log
   sudo tail -f /var/log/krb5kdc.log
   

By following these steps, you should be able to configure the system to automatically obtain and renew Kerberos tickets during the login process, resolving the need to manually run kinit before each login.

 The problem with the above recommendations is that there is no sssd package in homebrew and there is no sssd directory on the MacOS OS.

Did you purposely add the extra enctypes to the keytab? As far as I know, types 19 and 20 shouldn’t come up unless you asked for it in ipa-getkeytab.

You shouldn’t have to do this. Ensure you have /etc/krb5.conf configured correctly.

SSSD is part of Linux distributions (EL, Fedora, Ubuntu) and is not part of macOS nor built for it. Mac’s use the directory utility and other software.

This is what I thought regarding SSSD on MacOS.

No, I never added anything extra in terms of encryption types. I double checked the IPA users and there is nothing enabled, not even password.