On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote: > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote: > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote: > >> On 23/05/2019 14:56, Rob Crittenden wrote: > >>> lejeczek via FreeIPA-users wrote: > >>>> hi guys, > >>>> > >>>> reading official guide one may assume - I do - that "Using SSH Without > >>>> Passwords" should work out-of-box (centos 7.6) - is such assumption > >>>> valid? > >>>> > >>>> For me this does not work - ssh still asks for passwords. > >>>> > >>>> If this is due to some failure/problem, then where to look and how to > >>>> troubleshoot? > >>> It's hard to know what you're doing, ssh from where to where, using what? > >>> > >>> rob > >> I made an assumption - which I see now was invalid - that some experts > >> may know mentioned guide by heart and if I quoted something then the > >> rest will be obvious - wrong, sorry. > >> > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active > >> Directory Machines for IdM Resources" which is about Kerberos I understand. > >> > >> My hope was to have AD's clients be able to ssh(and maybe get to other > >> things like Samba) without password and with Kerberos. > >> > >> I see IPA's users can do that between IPA's servers > >> > >> ... > >> > >> debug1: PAM: initializing for "tester1" > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private" > >> debug1: PAM: setting PAM_TTY to "ssh" > >> debug1: userauth-request for user tester1 service ssh-connection method > >> gssapi-with-mic [preauth] > >> debug1: attempt 1 failures 0 [preauth] > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 > >> [preauth] > >> debug1: Got no client credentials > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file > >> /home/tester1/.k5login > >> Authorized to tester1, krb5 principal tester1@private > >> (ssh_gssapi_krb5_cmdok) > >> debug1: do_pam_account: called > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2 > >> ... > >> > >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's > >> user then I do not see above in the logs and such ssh(Win10 own feature) > >> is asked for password. > >> > >> To sum up: AD's users off/from Win AD win-stations to IPA's > >> members/clients with Kerberos if possible. (trust is already established > >> and running) > > Hi, > > > > having a trust is the first requirement. Second is a ssh client on the > > Windows side which can do GSSAPI authentication (recent version of putty > > can) and has GSSAPI authentication enabled (iirc this is not the default > > for putty, so you have to switch it on manually). Next is that you have > > to use the fully-qualified DNS name of the IPA client you want to login > > to. If all this is set and authentication still falls back to ask for a > > password plase check with the klist command on the Windows client in > > command.exe or the Powershell if you already got a service ticket for > > the IPA client. If this is missing please check if there is a > > cross-realm ticket, it has a principal starting with 'krbtgt/' followed > > by the IPA realm, an '@' sign and the AD realm. If this is missing as > > well the issue is on the AD side and the client either does not try > > GSSAPI at all or it does not get a cross-realm ticket from the local DC. > > > > HTH > > > > bye, > > Sumit > > I do not see tickets to IPA's domain - when I'm logged into a Win10Pro > (a member of win2016 AD domain). > > >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere > there I see a mention of IPA domain. > > That is after a one-way trust was established from IPA's side, > successfully. DNS seems to work, users seem to work. > > My setup IPA is subdomain of AD. > > Win10Pro is 1903 with openssh-client installed as/from optional feature. > I think it does support gssapi.
I haven't tried this ssh client so far. But typically GSSAPIAuthentication is not enalbed by default for openssh clients. Have you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen something GSSAPI related in the debug output? > > After a trust is established - do we need to create groups & mappings > for AD users for ssh/samba to work? Guide docs I saw I understand then > these are only required when one needs HBAC, correct? Yes. > > How to start troubleshooting? > > many thanks, L. > > >> many thanks, L. > >> > >> > >> > >> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > >> 93059F241EEEE1D0769A85F455918ABF21224EBA > >> uid lejeczek <pelj...@yahoo.co.uk> > >> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > 93059F241EEEE1D0769A85F455918ABF21224EBA > uid lejeczek <pelj...@yahoo.co.uk> > sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
