Dual Auth Access on OS X

Authenticating Macs to ACCESS/WIN & DCE.PSU.EDU

Rusty Myers -- [email protected] P. Gallagher -- [email protected]

Friday, May 3, 13

mailto:[email protected]




Idea!

Idea would be to utilize admin_ accounts on ACCESS/WIN

Also be able for DCE.PSU.EDU (kerberos) authentication to work for all other users

Friday, May 3, 13

So how??

Bind Mac to ACCESS/WIN Domain

Add LDAP entry for DIRAPPS + configure

Right??

Friday, May 3, 13

Wrong!!

Issue is that when you bind to ACCESS/WIN (or AD for that matter) it automatically takes over and won’t do any type of failover #evil

Friday, May 3, 13

Solution? well sorta...

Allows you to utilize admin_ accounts on ACCESS/WIN domain

Allows you to utilize ALL accounts on DCE.PSU.EDU

Friday, May 3, 13

The Steps!

What you really want....right?

Friday, May 3, 13

Step #1

Setup DIRAPPS https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration

Friday, May 3, 13

https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration






Step #11.Configure Kerberos for authentication

2.Configure LDAP for Authorization

3.Test Logins

4.Additional System Changes

1.LoginWindow StartupDelay

2.Screen Saver/Authentication (/etc/pam.d/screensaver & /etc/pam.d/authorization)

Friday, May 3, 13

Step #1

/etc/pam.d/authorization

# authorization: auth account

auth sufficient pam_krb5.so use_first_pass

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass

account required pam_opendirectory.so

Friday, May 3, 13

Step #2

Ensure DNS is correct!

128.118.25.3

128.118.3.5

128.118.193.174

Friday, May 3, 13

Step #3

Add admin_ accounts to Users & Groups

Your thinking...How are local accounts going to auth off of ACCESS/WIN...am I right??

Friday, May 3, 13

Step #4

Edit user in Directory Utility -- Change AuthenticationAuthority to;Kerberosv5;;[email protected];ACCESS.PSU.EDU;)

Delete password field

Friday, May 3, 13





Step #4

Friday, May 3, 13

Review

1.Setup DIRAPPS

2.Ensure DNS is correct

3.Add admin_ accounts

4.Edit accounts in Directory Utility

Friday, May 3, 13

What this will not allow you to do...

This will NOT allow you to authenticate ALL accounts from both ACCESS/WIN and DCE.PSU.EDU (coming soon!...hopefully!)

Friday, May 3, 13

Questions?

Rusty Myers -- [email protected] P. Gallagher -- [email protected]

Friday, May 3, 13





Dual Auth Access on OS X

Technology

local accounts

accesswin domain

auth account auth sufficient

pass auth optional

pass account

kerberos authentication

setup dirapps https

rusty myers