Ubuntu 12.04 Ultimate Server Guide

Part 9: Connecting Mac OS X Clients

This guide is for OS X 10.8 (Mountain Lion). The implementation of Kerberos in 10.7 and above has changed drastically from previous versions of OS X. Before you begin, please make sure you are running the most up to date version of OS X.

It’s easiest to start with a fresh install and just a single local user account (adminlocal).

Changes to the Server

In order for your Ubuntu server to allow OS X clients to connect, we need to modify /etc/krb5.conf slightly by adding the following to the libdefaults section:

allow_weak_crypto = true

So the top of /etc/krb5.conf on the server (neo) should now look something like this:

libdefaults]
        default_realm = DANBISHOP.ORG

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        allow_weak_crypto = true

That’s it… restart the server and you’re ready to connect your first OS X client.

Kerberos Configuration

Firstly, we’re going to create a /etc/krb5.conf file so that OS X knows how to talk to our Kerberos server.

sudo nano /etc/krb5.conf

Paste the following into the file:

[libdefaults]
    ticket_lifetime = 36000
    default_realm = DANBISHOP.ORG
    allow_weak_crypto = TRUE
    noaddresses = TRUE
    forwardable = TRUE

[realms]
    DANBISHOP.ORG = {
        kdc = neo.danbishop.org
        admin_server = neo.danbishop.org
        default_domain = DANBISHOP.ORG
    }

[domain_realm]
    .danbishop.org = DANBISHOP.ORG
    danbishop.org = DANBISHOP.ORG

Now we need to tell OS X to use Kerberos as an authentication method. We do this by editing /etc/pam.d/authorization

sudo nano /etc/pam.d/authorization

You might want to backup the original first just in case, then replace it with the following:

# authorization: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit default_principal
auth       sufficient     pam_krb5.so use_first_pass default_principal
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so

That’s Kerberos sorted!

LDAP Configuration

Now OS X needs to know where to find our LDAP server and how to read from it. This is done using System Preferences > Users & Groups.

Select Login Options from the left hand pane and click the padlock to allow changes.

The first thing to do is to set “display login window as” to “Name and Password”. Then hit the Join button by Network Account Server.

When prompted for a server, enter neo.danbishop.org.

Add LDAP server to OS X

Hit ok and OS X will attempt to get the server’s information. You will be warned about the server not providing a secure (SSL) connection. Click continue.

Your server address will appear with a green dot to show it is connected and an edit button to the right. Click “Edit…” then hit “Open Directory Utility…”

Switch to the services tab on Directory Utility and click the lock to make changes. Then double click on LDAPv3 to edit its settings.

Edit LDAPv3 settings OS X

Under LDAP Mappings where “From Server” is currently selected, click the dropdown and select “RFC2307”. You will be prompted to supply a search base suffix.

Supply search base suffix for LDAP on Mac OS X

Enter dc=danbishop,dc=org and hit OK. Hit OK again and then close the directory utility.

TO BE CONTINUED

  • Christian Oswald

    Hello,
    it’s a very useful tutorial and I learned a lot from it.
    I had also the problem with “Error adding group domainusers to LDAP” and in my case I solved it with switches TLS off in the LDAP-Server. I made it with webmin because I can’t find the correct place for it in the configuration files. I think it depends from the defaults of the ubuntu installation (in my case 14.04).
    But I have also a problem with the kerberos authentification. It works nice on the server (kadmin.local runs, kinit brings a ticket …) but from a client I get all times the error “kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface”.
    I have reinstalled all, checked the configuration file of dnsmasq, krb5 … nothing helps, no firewall runs …
    I have tested a lot – ping, nslookup works and give the correct server. But nmap said that only port 749 is open on the server but in the kdc.conf is written that port 750 and 88 is used. I don’t if it’s important.
    Has anyone any idea for the reason of this error?

    Thanks,
    Christian

  • Jezzirolk

    hey Dan, i have used your guides a few times and they are great. Still work with 14.04 i dont think there was any tweaking i really had to do. i have a question though, is there a reason you disabled cache_credntials. Not saying there arent possible security reasons but i was more curious if there were other technical reasons becasue when connecting a laptop it is providing to make this a bit harder.

    –jezzirolk

    • danbishop88

      Hi Jezzirolk,

      I believe my reason for this was to do with: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1039151

      Basically, without it SSSD tends to come up before your network connection. This forces it into “offline” mode and it won’t even try to reconnect to your ldap/kerberos server until two minutes have elapsed. This prevents anyone from logging in for the full two minutes.

      A better workaround is listed in that thread, which is forcing the login screen to wait for the network to come up before appearing. I intend to move to that if I ever get round to finishing my 14.04 guide.

      Hope that helps…

      Dan

      • Jezzirolk

        Hey Dan,
        this still doesn’t really solve the issues i think, waiting for the network doesn’t do much for my case of a laptop. if i am off site it still wont connect properly unless you try to use cached credentials. Are we saying use cached credentials and then wait for network as to prevent the false negative of can not connect to ldap server? if that’s the case that might work.

        i guess the better question is if i log in off line. how does reconnecting once we end up back on a network with access to the server?

        Any thoughts on this and how to deal with the NFS mounts with laptop or systems that end up off site.

        –jezzirolk