FreeIPA/macOS PAM configuration and UI privilege elevation

[drjhe]

In el/freeipa.rst → Client Setup → Mac Clients: it might be worth noting that the PAM configuration shown can interfere with the macOS GUI's privilege elevation system. For example, in the following sequence assume we have a Mac with a local admin user, configured to authenticate against FreeIPA as shown.

1. Log in as a FreeIPA user without admin status. Use klist to note the Kerberos tickets.
2. Open the System Settings, and do something that requires local admin privileges (or try to install an application).
3. Authenticate as the admin.
4. Check klist again -- note that the default ticket cache has been changed. Running kinit is needed to get back to the FreeIPA user's tickets.

As a workaround for this, on my Mac I use the default PAM configuration files and a third party tool to obtain a TGT on login (io.github.hamstergene.ticket-renewer -- I'm not aware of any other such tools, or something like sss built in to macOS). Downside is this requires manual password sync, but I find it's needed anyway even with PAM adjustments to refresh the tickets perodically.

[nazunalika]

While I'm opening to documenting this behavior, is using kswitch not sufficient? If your ticket is indeed changing after using system settings, a kswitch should allow you to just switch back.