Authenticating Macs to ACCESS/WIN & DCE.PSU.EDU Rusty Myers -- [email protected] Scott P. Gallagher -- [email protected] Friday, May 3, 13
Aug 03, 2015
Authenticating Macs to ACCESS/WIN & DCE.PSU.EDU
Rusty Myers -- [email protected] P. Gallagher -- [email protected]
Friday, May 3, 13
Idea!
Idea would be to utilize admin_ accounts on ACCESS/WIN
Also be able for DCE.PSU.EDU (kerberos) authentication to work for all other users
Friday, May 3, 13
So how??
Bind Mac to ACCESS/WIN Domain
Add LDAP entry for DIRAPPS + configure
Right??
Friday, May 3, 13
Wrong!!
Issue is that when you bind to ACCESS/WIN (or AD for that matter) it automatically takes over and won’t do any type of failover #evil
Friday, May 3, 13
Solution? well sorta...
Allows you to utilize admin_ accounts on ACCESS/WIN domain
Allows you to utilize ALL accounts on DCE.PSU.EDU
Friday, May 3, 13
The Steps!
What you really want....right?
Friday, May 3, 13
Step #1
Setup DIRAPPS https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration
Friday, May 3, 13
Step #11.Configure Kerberos for authentication
2.Configure LDAP for Authorization
3.Test Logins
4.Additional System Changes
1.LoginWindow StartupDelay
2.Screen Saver/Authentication (/etc/pam.d/screensaver & /etc/pam.d/authorization)
Friday, May 3, 13
Step #1
/etc/pam.d/authorization
# authorization: auth account
auth sufficient pam_krb5.so use_first_pass
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so
Friday, May 3, 13
Step #2
Ensure DNS is correct!
128.118.25.3
128.118.3.5
128.118.193.174
Friday, May 3, 13
Step #3
Add admin_ accounts to Users & Groups
Your thinking...How are local accounts going to auth off of ACCESS/WIN...am I right??
Friday, May 3, 13
Step #4
Edit user in Directory Utility -- Change AuthenticationAuthority to;Kerberosv5;;[email protected];ACCESS.PSU.EDU;)
Delete password field
Friday, May 3, 13
Step #4
Friday, May 3, 13
Review
1.Setup DIRAPPS
2.Ensure DNS is correct
3.Add admin_ accounts
4.Edit accounts in Directory Utility
Friday, May 3, 13
What this will not allow you to do...
This will NOT allow you to authenticate ALL accounts from both ACCESS/WIN and DCE.PSU.EDU (coming soon!...hopefully!)
Friday, May 3, 13