[Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login
"Răzvan Corneliu C.R. VILT"
razvan.vilt at me.com
Tue May 17 07:29:56 UTC 2016
> I have some questions for the author himself or anyone who has replicated
> his work:
>
> - Which OS X versions has this been tested on?
10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May 2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions and the rest were Mavericks slowly upgraded during the project to Yosemite.
> - Does changing a expired password work on an OS X GUI login?
I don't recall testing it. I recall testing the password change with the Kerberos "Ticket Viewer.app" and from the Users and Groups applet of System Preferences.
> - Does the LDIF file included in that thread only work for MIT Kerberos
> or does it also work for Heimdal?
It should work for both. IIRC FreeIPA uses MIT while OS X uses Heimdal.
Let's start with a bit of background:
The project that I worked on was for an all Apple house (50+ of OS X installations, hundreds of iOS and only 2 Windows stations).
It took place between late November 2014 and February 2015 and I monitored it through May 2015.
I reasonably sure that we haven't set password expiration.
One of the criteria for the project was to actually migrate the original passwords stored in almost clear-text in OpenDirectory to the FreeIPA server (80 lines of code and the /var/db/authdb file).
We've migrated the file sharing to Samba and NetATalk. Samba was a royal pain for LDAP+Kerberos in user mode.
We migrated L2TP/IPSec and PPTP using Winbind for authentication (again with LDAP+Kerberos).
We migrated mail and calendar to Postfix+Dovecot+SOGo.
And we've also migrated a few simple (static) websites.
Mostly unrelated to IPA we also migrated DHCP and DNS. DiscoveryD gave us major headaches.
The interesting part that we've accomplished was that we've managed to do the migration almost transparently because FreeIPA was seen as a Kerberized OD Server. As such, the clients were able to use Kerberized logins to each others services (local file shares and such).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160517/d20be8be/attachment.htm>
More information about the Freeipa-users
mailing list