-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Alexander, List,
I followed the steps on that blog post, however I am unable to retrieve the ipaNTHash attribute either as that service account, nor as the admin. Am I missing something? ldapsearch -Y GSSAPI uid=admin ipaNTHash SASL/GSSAPI authentication started SASL username: radius/[email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=foo,dc=bar> (default) with scope subtree # filter: uid=admin # requesting: ipaNTHash # # admin, users, compat, foo.bar dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar # admin, users, accounts, foo.bar dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 ldapsearch -Y GSSAPI uid=admin ipaNTHash SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=foo,dc=bar> (default) with scope subtree # filter: uid=admin # requesting: ipaNTHash # # admin, users, compat, foo.bar dn: uid=admin,cn=users,cn=compat,dc=foo,dc=bar # admin, users, accounts, foo.bar dn: uid=admin,cn=users,cn=accounts,dc=foo,dc=bar # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks, Bill Graboyes On 7/21/15 11:16 AM, Alexander Bokovoy wrote: > On Mon, 20 Jul 2015, William Graboyes wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> Hi List, >> >> >> I have run into a snag, I figured I would start here and move >> forward. I have been searching around for the past 3 or 4 hours >> looking for some solution to this the issue that I am having. >> >> We are doing 802.1x against our freeipa servers. While Kerberos >> auth is working perfectly fine (when used from an android or >> linux device) however when it comes to Macs (they strive to be >> different -_-) when using EAP-TTLS (which everything else is >> perfectly happy to use chap or pap) Mac only uses mschapv2 when >> using EAP-TTLS. >> >> I don't have an active directory to run against, nor do I have >> samba services running (why would I, there are a total of 5 >> windows boxes in the entire environment. >> >> I was wondering if there was some form of a FreeIPA solution to >> this form of problem (something I may be missing) that will >> handle the NTLM auth on a linux system. >> >> I have found some things that are brutishly old, like kcrap, but >> nothing seems to fit the bill. I am not against installing >> samba somewhere (even on the radius servers) to handle this form >> of authentication, I am just no sure which direction to go for >> handling this form of auth against FreeIPA. I would much prefer >> to use PAM or Kerberos, it just doesn't look like that is going >> to work in this situation. > Check this blog post: http://firstyear.id.au/entry/22 > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVrqt4AAoJEJFMz73A1+zrskwP/iBNfTH1TpoZFWITf8xlCheO 7Yk99V1/4gGgFttc1V92OMRDAHVHvD5B2apqPRd6ObWVd5sdFzfjVNWGNzLp8/N8 HkxSezd4BiNZCagVQXCdbr26ATSI/jTD2exEchpUPv1UtH2snId/1ZaCyFu3Cj0h OuY+AVJc93WE0VlpY0N+drhr5aNb6CKZ3lTyvxVJ8FaLND6Pb5quFOP//S1SCqJl QVO5V5hi0IAYZ/f+eZG4Z6ZtF2n5TYaqYD3sax8khdIqpSL4q28TvGUcAAOa3DmX cg3sV+a2foB/Al9stzQ4Qo9i48JlesjOZMX6JfmpBzMXxCItnz3ArnWyIwAFa2xF f9BnFzq5zqdx94Ee5nDiLiiisn8uHkUlzNx4HbKSQ60ulSWih2S/qDyFNxN0O59c bn8MLxATUiDMGhJ4dgljxs8ZRuzh97z7B2MhMRHVjlo8oIWvjOpDJ+9I7GzUZrtO rS4r78adYwLBcXsaOFlC+ZSeirH1muD6Lx/s+/znaCWHE54a6MONhrA3wSSM73qk Czv+y5qG09QJJEztDWTVU8dhsCnXnd/5AUXhsscBc8lNqma3eCmnpOK1ngmLQwxt 8RP5ijK1J7sdAald5TW/buN1tHQH3H8vzYbL0r/GdVTsnfp2NXh9NuZJsFVL7Db1 h9cMHUo4NzVwAxcWP5jS =x9GB -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
