>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting >>to >>Linux servers from their domain-joined workstations are not required to enter >>a >>password for the first connection. However, if they attempt to ssh to a >>second >>Linux machine from the first they are being prompted for a password. >> >>I've tried the following /etc/ssh/ssh_config options: >> >> GSSAPIDelegateCredentials yes >> GSSAPIKeyExchange yes >> GSSAPIRenewalForcesRekey yes >> GSSAPITrustDns yes >> >>And the following /etc/ssh/sshd_config options: >> >> GSSAPIAuthentication yes >> GSSAPIKeyExchange yes >> GSSAPIStoreCredentialsOnRekey yes >> >>Am I missing a step/configuration?
> They need to allow delegation on the machine where their first hop > starts, not only on your jump server. Both the first hop and subsequent servers have those settings. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project