On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote: > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote: >> On 23/05/2019 14:56, Rob Crittenden wrote: >>> lejeczek via FreeIPA-users wrote: >>>> hi guys, >>>> >>>> reading official guide one may assume - I do - that "Using SSH Without >>>> Passwords" should work out-of-box (centos 7.6) - is such assumption valid? >>>> >>>> For me this does not work - ssh still asks for passwords. >>>> >>>> If this is due to some failure/problem, then where to look and how to >>>> troubleshoot? >>> It's hard to know what you're doing, ssh from where to where, using what? >>> >>> rob >> I made an assumption - which I see now was invalid - that some experts >> may know mentioned guide by heart and if I quoted something then the >> rest will be obvious - wrong, sorry. >> >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active >> Directory Machines for IdM Resources" which is about Kerberos I understand. >> >> My hope was to have AD's clients be able to ssh(and maybe get to other >> things like Samba) without password and with Kerberos. >> >> I see IPA's users can do that between IPA's servers >> >> ... >> >> debug1: PAM: initializing for "tester1" >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private" >> debug1: PAM: setting PAM_TTY to "ssh" >> debug1: userauth-request for user tester1 service ssh-connection method >> gssapi-with-mic [preauth] >> debug1: attempt 1 failures 0 [preauth] >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 >> [preauth] >> debug1: Got no client credentials >> debug1: ssh_gssapi_k5login_exists: Checking existence of file >> /home/tester1/.k5login >> Authorized to tester1, krb5 principal tester1@private >> (ssh_gssapi_krb5_cmdok) >> debug1: do_pam_account: called >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 >> ... >> >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's >> user then I do not see above in the logs and such ssh(Win10 own feature) >> is asked for password. >> >> To sum up: AD's users off/from Win AD win-stations to IPA's >> members/clients with Kerberos if possible. (trust is already established >> and running) > Hi, > > having a trust is the first requirement. Second is a ssh client on the > Windows side which can do GSSAPI authentication (recent version of putty > can) and has GSSAPI authentication enabled (iirc this is not the default > for putty, so you have to switch it on manually). Next is that you have > to use the fully-qualified DNS name of the IPA client you want to login > to. If all this is set and authentication still falls back to ask for a > password plase check with the klist command on the Windows client in > command.exe or the Powershell if you already got a service ticket for > the IPA client. If this is missing please check if there is a > cross-realm ticket, it has a principal starting with 'krbtgt/' followed > by the IPA realm, an '@' sign and the AD realm. If this is missing as > well the issue is on the AD side and the client either does not try > GSSAPI at all or it does not get a cross-realm ticket from the local DC. > > HTH > > bye, > Sumit
I do not see tickets to IPA's domain - when I'm logged into a Win10Pro (a member of win2016 AD domain). >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere there I see a mention of IPA domain. That is after a one-way trust was established from IPA's side, successfully. DNS seems to work, users seem to work. My setup IPA is subdomain of AD. Win10Pro is 1903 with openssh-client installed as/from optional feature. I think it does support gssapi. After a trust is established - do we need to create groups & mappings for AD users for ssh/samba to work? Guide docs I saw I understand then these are only required when one needs HBAC, correct? How to start troubleshooting? many thanks, L. >> many thanks, L. >> >> >> >> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] >> 93059F241EEEE1D0769A85F455918ABF21224EBA >> uid lejeczek <pelj...@yahoo.co.uk> >> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org