On 31/05/2019 15:42, Juan Pablo wrote: > Hi, first of all: GSSAPI is not imported on openssh for windows > unfortunately. So you need to mandatory use putty to have GSSAPI > kerberos passwordless from windows to linux domain. > > second, from which system on the windows side are you trying to login? > can you see if it works from the Active Directory server itself, > please? IIRC, you will have to allow the host/pc to delegate kerberos > credentials (on windows side). AD domain servers have kerberos ticket > delegation enabled by default, regular pc/hosts dont. maybe this is > the case... > > regards, > JP
I was hoping but was not sure, that nomorefood's stuff ended up in Windows version in the latest, thus I stressed, update of 1903, but, it's not there. Putty I got from ssh.com (I'm not sure if this is the best place or best putty to get?) but this putty, on/off the AD server.. yes, works with gssapi and I see password-less authentication. I thought I delegated Win10 client box to "Trust this computer for delegation of any service) in AD Users & Computers but... still password prompt. Any ideas, suggestions? many thanks, L. > > El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users > (<freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>) escribió: > > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via > FreeIPA-users wrote: > > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote: > > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via > FreeIPA-users wrote: > > >> On 23/05/2019 14:56, Rob Crittenden wrote: > > >>> lejeczek via FreeIPA-users wrote: > > >>>> hi guys, > > >>>> > > >>>> reading official guide one may assume - I do - that "Using > SSH Without > > >>>> Passwords" should work out-of-box (centos 7.6) - is such > assumption valid? > > >>>> > > >>>> For me this does not work - ssh still asks for passwords. > > >>>> > > >>>> If this is due to some failure/problem, then where to look > and how to > > >>>> troubleshoot? > > >>> It's hard to know what you're doing, ssh from where to > where, using what? > > >>> > > >>> rob > > >> I made an assumption - which I see now was invalid - that > some experts > > >> may know mentioned guide by heart and if I quoted something > then the > > >> rest will be obvious - wrong, sorry. > > >> > > >> "Using SSH Without Passwords" is a paragraph of "Using SSH > from Active > > >> Directory Machines for IdM Resources" which is about Kerberos > I understand. > > >> > > >> My hope was to have AD's clients be able to ssh(and maybe get > to other > > >> things like Samba) without password and with Kerberos. > > >> > > >> I see IPA's users can do that between IPA's servers > > >> > > >> ... > > >> > > >> debug1: PAM: initializing for "tester1" > > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private" > > >> debug1: PAM: setting PAM_TTY to "ssh" > > >> debug1: userauth-request for user tester1 service > ssh-connection method > > >> gssapi-with-mic [preauth] > > >> debug1: attempt 1 failures 0 [preauth] > > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port > 43604 ssh2 > > >> [preauth] > > >> debug1: Got no client credentials > > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file > > >> /home/tester1/.k5login > > >> Authorized to tester1, krb5 principal tester1@private > > >> (ssh_gssapi_krb5_cmdok) > > >> debug1: do_pam_account: called > > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port > 43604 ssh2 > > >> ... > > >> > > >> But a Win10Pro which is AD member which I'm trying, when ssh > as AD's > > >> user then I do not see above in the logs and such ssh(Win10 > own feature) > > >> is asked for password. > > >> > > >> To sum up: AD's users off/from Win AD win-stations to IPA's > > >> members/clients with Kerberos if possible. (trust is already > established > > >> and running) > > > Hi, > > > > > > having a trust is the first requirement. Second is a ssh > client on the > > > Windows side which can do GSSAPI authentication (recent > version of putty > > > can) and has GSSAPI authentication enabled (iirc this is not > the default > > > for putty, so you have to switch it on manually). Next is that > you have > > > to use the fully-qualified DNS name of the IPA client you want > to login > > > to. If all this is set and authentication still falls back to > ask for a > > > password plase check with the klist command on the Windows > client in > > > command.exe or the Powershell if you already got a service > ticket for > > > the IPA client. If this is missing please check if there is a > > > cross-realm ticket, it has a principal starting with 'krbtgt/' > followed > > > by the IPA realm, an '@' sign and the AD realm. If this is > missing as > > > well the issue is on the AD side and the client either does > not try > > > GSSAPI at all or it does not get a cross-realm ticket from the > local DC. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > I do not see tickets to IPA's domain - when I'm logged into a > Win10Pro > > (a member of win2016 AD domain). > > > > >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere > > there I see a mention of IPA domain. > > > > That is after a one-way trust was established from IPA's side, > > successfully. DNS seems to work, users seem to work. > > > > My setup IPA is subdomain of AD. > > > > Win10Pro is 1903 with openssh-client installed as/from optional > feature. > > I think it does support gssapi. > > I haven't tried this ssh client so far. But typically > GSSAPIAuthentication is not enalbed by default for openssh > clients. Have > you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen > something GSSAPI related in the debug output? > > > > > After a trust is established - do we need to create groups & > mappings > > for AD users for ssh/samba to work? Guide docs I saw I > understand then > > these are only required when one needs HBAC, correct? > > Yes. > > > > > How to start troubleshooting? > > > > many thanks, L. > > > > >> many thanks, L. > > >> > > >> > > >> > > >> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > > >> 93059F241EEEE1D0769A85F455918ABF21224EBA > > >> uid lejeczek <pelj...@yahoo.co.uk > <mailto:pelj...@yahoo.co.uk>> > > >> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > > >> _______________________________________________ > > >> FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > >> Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > > 93059F241EEEE1D0769A85F455918ABF21224EBA > > uid lejeczek <pelj...@yahoo.co.uk > <mailto:pelj...@yahoo.co.uk>> > > sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > > > _______________________________________________ > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
