FreeIPA and MacOS Sanoma

My security tab is completely empty. I do not have a DN set.

Perhaps this will work instead. Replace <ipa_user> with your IPA user name and <local_admin_account> with the name of the local admin user on your mac. It’ll ask for passwords interactively.

/usr/sbin/sysadminctl -secureTokenOn <ipa_user> -password - -adminUser <local_admin_account> -adminPassword -

I’m not sure if these are red herrings, but they imply that the kerberos ticket at /etc/krb5.keytab is not valid. Two things I would verify is the permissions and that you can kinit with the keytab and perform an ldapsearch.

The reason the permissions came to mind is that I didn’t document the proper permissions for Ventura and higher.

lani:~ root# chown root:_keytabusers /etc/krb5.keytab
lani:~ root# chmod 640 /etc/krb5.keytab

You can try to perform an ldapsearch with a keytab like this. Replace your domain/realm and hostname as needed.

lani:~ root# ktutil --keytab=/etc/krb5.keytab list | grep ANGELS
  3  aes256-cts-hmac-sha1-96  host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  3  aes128-cts-hmac-sha1-96  host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
lani:~ root# kinit --keytab=/etc/krb5.keytab -f host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
lani:~ root# klist
Credentials cache: API:CDA6937B-825F-4B7B-9C41-11AB91C38DFF
        Principal: host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET

  Issued                Expires               Principal
Jun 21 08:32:11 2024  Jun 22 08:32:11 2024  krbtgt/ANGELSOFCLOCKWORK.NET@ANGELSOFCLOCKWORK.NET
lani:~ root# ldapsearch -h ipa01.angelsofclockwork.net uid=admin uid
SASL/GSSAPI authentication started
SASL username: host/lani.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=admin
# requesting: uid
#

# admin, users, compat, angelsofclockwork.net
dn: uid=admin,cn=users,cn=compat,dc=angelsofclockwork,dc=net
uid: admin

# admin, users, accounts, angelsofclockwork.net
dn: uid=admin,cn=users,cn=accounts,dc=angelsofclockwork,dc=net
uid: admin

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 2

What I would suggest is if you are still struggling to start completely over. You can do this by clearing out all network servers in users & groups, cleaning the krb5.conf file, and rebooting. The keytab can stay if it is valid.

I’ve found that sometimes starting clean is the best option to solving some of these problems. See below where I perform a clean macOS install with IPA authentication.

I went through my guide on a macOS VM to verify if there is a missing step somewhere.

Setting the hostname and getting the CA.

Screenshot 2024-06-21 at 09.00.24750×511 54.7 KB

Creating the host and keytab in IPA.

[label@ipa01 ~]$ ipa host-add macvm.angelsofclockwork.net --force
----------------------------------------
Added host "macvm.angelsofclockwork.net"
----------------------------------------
  Host name: macvm.angelsofclockwork.net
  Principal name: host/macvm.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  Principal alias: host/macvm.angelsofclockwork.net@ANGELSOFCLOCKWORK.NET
  Password: False
  Member of host-groups: allhosts
  Indirect Member of netgroup: allhosts
  Keytab: False
  Managed by: macvm.angelsofclockwork.net
[label@ipa01 ~]$ ipa-getkeytab -s ipa01.angelsofclockwork.net -p host/macvm.angelsofclockwork.net -k /tmp/krb5.keytab
Keytab successfully retrieved and stored in: /tmp/krb5.keytab
[label@ipa01 ~]$ chown label:label /tmp/krb5.keytab
[label@ipa01 ~]$

Bringing over the keytab, configuring kerberos, and testing. (Instead of 600, I use 640 and root:_keytabusers, I believe I forgot to document this properly)

I left PAM configured with the defaults for now. We’re just trying to login as an IPA user.

Adding one of my IPA servers to the users & groups settings. This shows green, so it’s connected.

I open the directory utility and click the “lock”. I click LDAP, click the pencil. Here I set the mappings to rfc2307 and put in my base DN. Here I purposely use cn=accounts,… because I have a compat tree and don’t want that to be used.

Clicked edit, went to search & mappings, and made the relevant changes. Also verified the search policy.

Screenshot 2024-06-21 at 09.21.20543×523 38 KB

Screenshot 2024-06-21 at 09.21.59540×523 37.6 KB

Screenshot 2024-06-21 at 09.22.55542×527 33.7 KB

Screenshot 2024-06-21 at 09.24.06544×531 30.9 KB

Screenshot 2024-06-21 at 09.24.57538×524 31.1 KB

Screenshot 2024-06-21 at 09.25.13544×529 32.4 KB

Screenshot 2024-06-21 at 09.26.31535×520 32.3 KB

Screenshot 2024-06-21 at 09.27.20817×636 44.2 KB

On the lock screen, I turned on “name and password”.

Screenshot 2024-06-21 at 09.28.25767×128 38.2 KB

I verified dscacheutil sees the user.

I go ahead and log out and at this point, I try to login with my IPA user for the first time. It takes a moment, but I am eventually given the beginning setup screen.

Screenshot 2024-06-21 at 09.47.51828×620 39.4 KB

I went through the setup, and now I’m at the desktop.

Screenshot 2024-06-21 at 09.48.371628×1015 208 KB

At this point, I need to create the mobile account, and make the account an admin. I also want to make sure my IPA user is allowed to perform system updates (this requires the use of sysadminctl like earlier - I don’t do this on my own mac, but I am showing it as an example).