Dual Auth Access on OS X
-
Upload
scott-gallagher -
Category
Technology
-
view
51 -
download
2
Transcript of Dual Auth Access on OS X
![Page 1: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/1.jpg)
Authenticating Macs to ACCESS/WIN & DCE.PSU.EDU
Rusty Myers -- [email protected] P. Gallagher -- [email protected]
Friday, May 3, 13
![Page 2: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/2.jpg)
Idea!
Idea would be to utilize admin_ accounts on ACCESS/WIN
Also be able for DCE.PSU.EDU (kerberos) authentication to work for all other users
Friday, May 3, 13
![Page 3: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/3.jpg)
So how??
Bind Mac to ACCESS/WIN Domain
Add LDAP entry for DIRAPPS + configure
Right??
Friday, May 3, 13
![Page 4: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/4.jpg)
Wrong!!
Issue is that when you bind to ACCESS/WIN (or AD for that matter) it automatically takes over and won’t do any type of failover #evil
Friday, May 3, 13
![Page 5: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/5.jpg)
Solution? well sorta...
Allows you to utilize admin_ accounts on ACCESS/WIN domain
Allows you to utilize ALL accounts on DCE.PSU.EDU
Friday, May 3, 13
![Page 6: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/6.jpg)
The Steps!
What you really want....right?
Friday, May 3, 13
![Page 7: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/7.jpg)
Step #1
Setup DIRAPPS https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration
Friday, May 3, 13
![Page 8: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/8.jpg)
Step #11.Configure Kerberos for authentication
2.Configure LDAP for Authorization
3.Test Logins
4.Additional System Changes
1.LoginWindow StartupDelay
2.Screen Saver/Authentication (/etc/pam.d/screensaver & /etc/pam.d/authorization)
Friday, May 3, 13
![Page 9: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/9.jpg)
Step #1
/etc/pam.d/authorization
# authorization: auth account
auth sufficient pam_krb5.so use_first_pass
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass
account required pam_opendirectory.so
Friday, May 3, 13
![Page 10: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/10.jpg)
Step #2
Ensure DNS is correct!
128.118.25.3
128.118.3.5
128.118.193.174
Friday, May 3, 13
![Page 11: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/11.jpg)
Step #3
Add admin_ accounts to Users & Groups
Your thinking...How are local accounts going to auth off of ACCESS/WIN...am I right??
Friday, May 3, 13
![Page 12: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/12.jpg)
Step #4
Edit user in Directory Utility -- Change AuthenticationAuthority to;Kerberosv5;;[email protected];ACCESS.PSU.EDU;)
Delete password field
Friday, May 3, 13
![Page 13: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/13.jpg)
Step #4
Friday, May 3, 13
![Page 14: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/14.jpg)
Review
1.Setup DIRAPPS
2.Ensure DNS is correct
3.Add admin_ accounts
4.Edit accounts in Directory Utility
Friday, May 3, 13
![Page 15: Dual Auth Access on OS X](https://reader030.fdocuments.net/reader030/viewer/2022032503/55be8927bb61eba6768b4737/html5/thumbnails/15.jpg)
What this will not allow you to do...
This will NOT allow you to authenticate ALL accounts from both ACCESS/WIN and DCE.PSU.EDU (coming soon!...hopefully!)
Friday, May 3, 13