On pe, 03 maalis 2017, Jason B. Nance wrote:
I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
Linux servers from their domain-joined workstations are not required to enter a
password for the first connection. However, if they attempt to ssh to a second
Linux machine from the first they are being prompted for a password.
I've tried the following /etc/ssh/ssh_config options:
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
And the following /etc/ssh/sshd_config options:
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
Am I missing a step/configuration?
They need to allow delegation on the machine where their first hop
starts, not only on your jump server.
Both the first hop and subsequent servers have those settings.
I'm not talking about servers. It starts with the client machines.
If server never got delegated credentials, how could it be a client that
delegates them further? That original client has to allow delegation
in first place.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
