I know this is absolutely no help to Barry whatsoever, but I absolutely second his question. I'm trying to set up CAC login for Open Directory. I run both the server and the clients, but I can't find any set of instructions beyond Yoann Gini's set, which are very nice, but I haven't been able to get them to work. I can get local account logins to work great with pubkey hash. For one afternoon, I could get my test clients to authenticate to the open directory, but I couldn't log in because the home folder wouldn't mount, and then with no configuration changes, it simply quit working, and I can't get any more test machines to work again. Instruction FAQs would be great! Troubleshooting FAQ would be wonderful as well. Thank you, John
Message: 2 Date: Wed, 02 Jan 2013 11:58:40 -0700 From: "Barry McInnes (NOAA Affiliate)" <barry.j.mcinnes@noaa.gov> To: smartcardservices-users@lists.macosforge.org Subject: [SmartcardServices-Users] CAC Login ? Message-ID: <50E48360.8090805@noaa.gov> Content-Type: text/plain; charset="iso-8859-1"
Hi, I had a quick look through the archives, but could not find anything related. I have installed Smart Card Services Update 2.0b2-ML-signed package, and the SmartCard is visible when inserted (attached). I selected the optional install of cacloginconfig, but cannot find the CACLoginConfig.plist file. I am trying to authenticate via Active Directory. Is there a FAQ anywhere on how to set this up ? thanks barry
Hi John, Le 10 sept. 2013 à 18:38, John Daly <john.l.daly@navy.mil> a écrit :
I can get local account logins to work great with pubkey hash. For one afternoon, I could get my test clients to authenticate to the open directory, but I couldn't log in because the home folder wouldn't mount, and then with no configuration changes, it simply quit working, and I can't get any more test machines to work again.
What kind of automount setup do you have? AFP? SMB? NFS? The key thing is, at the login time, you needs all informations to connect to the mount point as the authenticated user. For example, if it’s a NFS export, you don’t have to use any credentials to connect to your server, just a accepted IP. If it’s an AFP or SMB, you have to authenticate as the user to your server. And to do that your computer have to send some credentials to do that. Obviously, you have the username but not the password, so you can’t use SASL scheme for this step. So, you have to use Kerberos. But before using Kerberos to access to your mount point, you need to be sure that you can actually get a TGT with your smartcard. And here, it start to be somehow tricky… The simple way to test your Kerberos setup with SmartCard is to use kinit in command line, if you check the man page you can read that : -X attribute[=value] specify a pre-authentication attribute and value to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to spec- ify multiple attributes. If no value is specified, it is assumed to be "yes". The following attributes are recognized by the PKINIT pre-authentication mechanism: X509_user_identity=value specify where to find user's X509 identity information X509_anchors=value specify where to find trusted X509 anchor information flag_RSA_PROTOCOL[=yes] specify use of RSA, rather than the default Diffie-Hellman protocol So, your server have to be PKINIT compatible… Can you check that? If it is, you can read common heimdal PKINIT article to be able to obtain a TGT with kinit and your smart card. For information, I’ve never try that. I will try to take some time to do it… Best regards, Yoann Gini
participants (2)
-
John Daly
-
Yoann Gini