[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-01 Thread John Keates via FreeIPA-users

On *nix I’d test with klist etc to get information on what tickets I have and 
what those tickets are good for.
Perhaps you can do the same on Windows, figure out what tickets you actually 
have and what you can do with them.

John

> On 1 Jun 2019, at 13:04, lejeczek via FreeIPA-users 
>  wrote:
> 
> On 31/05/2019 15:42, Juan Pablo wrote:
>> Hi, first of all: GSSAPI is not imported on openssh for windows
>> unfortunately. So you need to mandatory use putty to have GSSAPI
>> kerberos passwordless from windows to linux domain.
>> 
>> second, from which system on the windows side are you trying to login?
>> can you see if it works from the Active Directory server itself,
>> please? IIRC, you will have to allow the host/pc to delegate kerberos
>> credentials (on windows side). AD domain servers have kerberos ticket
>> delegation enabled by default, regular pc/hosts dont. maybe this is
>> the case...
>> 
>> regards,
>> JP
> 
> I was hoping but was not sure, that nomorefood's stuff ended up in
> Windows version in the latest, thus I stressed, update of 1903, but,
> it's not there.
> 
> Putty I got from ssh.com (I'm not sure if this is the best place or best
> putty to get?) but this putty, on/off the AD server.. yes, works with
> gssapi and I see password-less authentication.
> 
> I thought I delegated Win10 client box to "Trust this computer for
> delegation of any service) in AD Users & Computers but... still password
> prompt. Any ideas, suggestions?
> 
> many thanks, L.
> 
>> 
>> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
>> (> >) escribió:
>> 
>>On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
>>FreeIPA-users wrote:
>>> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
 On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
>>FreeIPA-users wrote:
> On 23/05/2019 14:56, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hi guys,
>>> 
>>> reading official guide one may assume - I do - that "Using
>>SSH Without
>>> Passwords" should work out-of-box (centos 7.6) - is such
>>assumption valid?
>>> 
>>> For me this does not work - ssh still asks for passwords.
>>> 
>>> If this is due to some failure/problem, then where to look
>>and how to
>>> troubleshoot?
>> It's hard to know what you're doing, ssh from where to
>>where, using what?
>> 
>> rob
> I made an assumption - which I see now was invalid - that
>>some experts
> may know mentioned guide by heart and if I quoted something
>>then the
> rest will be obvious - wrong, sorry.
> 
> "Using SSH Without Passwords" is a paragraph of "Using SSH
>>from Active
> Directory Machines for IdM Resources" which is about Kerberos
>>I understand.
> 
> My hope was to have AD's clients be able to ssh(and maybe get
>>to other
> things like Samba) without password and with Kerberos.
> 
> I see IPA's users can do that between IPA's servers
> 
> ...
> 
> debug1: PAM: initializing for "tester1"
> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user tester1 service
>>ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> [preauth]
> debug1: Got no client credentials
> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> /home/tester1/.k5login
> Authorized to tester1, krb5 principal tester1@private
> (ssh_gssapi_krb5_cmdok)
> debug1: do_pam_account: called
> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> ...
> 
> But a Win10Pro which is AD member which I'm trying, when ssh
>>as AD's
> user then I do not see above in the logs and such ssh(Win10
>>own feature)
> is asked for password.
> 
> To sum up: AD's users off/from Win AD win-stations to IPA's
> members/clients with Kerberos if possible. (trust is already
>>established
> and running)
 Hi,
 
 having a trust is the first requirement. Second is a ssh
>>client on the
 Windows side which can do GSSAPI authentication (recent
>>version of putty
 can) and has GSSAPI authentication enabled (iirc this is not
>>the default
 for putty, so you have to switch it on manually). Next is that
>>you have
 to use the fully-qualified DNS name of the IPA client you want
>>to login
 to. If all this is set and authentication still falls back to
>>ask for a
 password plase check with the klist command on the Windows
>>client in
 command.exe or the Powershell if you already got a service
>>ticket for
 the IPA client. If this is missing please check if there is a
 cross-realm ticket, it has a 

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-01 Thread lejeczek via FreeIPA-users
On 31/05/2019 15:42, Juan Pablo wrote:
> Hi, first of all: GSSAPI is not imported on openssh for windows
> unfortunately. So you need to mandatory use putty to have GSSAPI
> kerberos passwordless from windows to linux domain.
>
> second, from which system on the windows side are you trying to login?
> can you see if it works from the Active Directory server itself,
> please? IIRC, you will have to allow the host/pc to delegate kerberos
> credentials (on windows side). AD domain servers have kerberos ticket
> delegation enabled by default, regular pc/hosts dont. maybe this is
> the case...
>
> regards,
> JP

I was hoping but was not sure, that nomorefood's stuff ended up in
Windows version in the latest, thus I stressed, update of 1903, but,
it's not there.

Putty I got from ssh.com (I'm not sure if this is the best place or best
putty to get?) but this putty, on/off the AD server.. yes, works with
gssapi and I see password-less authentication.

I thought I delegated Win10 client box to "Trust this computer for
delegation of any service) in AD Users & Computers but... still password
prompt. Any ideas, suggestions?

many thanks, L.

>
> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
> ( >) escribió:
>
> On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
> FreeIPA-users wrote:
> > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
> FreeIPA-users wrote:
> > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> > >>> lejeczek via FreeIPA-users wrote:
> >  hi guys,
> > 
> >  reading official guide one may assume - I do - that "Using
> SSH Without
> >  Passwords" should work out-of-box (centos 7.6) - is such
> assumption valid?
> > 
> >  For me this does not work - ssh still asks for passwords.
> > 
> >  If this is due to some failure/problem, then where to look
> and how to
> >  troubleshoot?
> > >>> It's hard to know what you're doing, ssh from where to
> where, using what?
> > >>>
> > >>> rob
> > >> I made an assumption - which I see now was invalid - that
> some experts
> > >> may know mentioned guide by heart and if I quoted something
> then the
> > >> rest will be obvious - wrong, sorry.
> > >>
> > >> "Using SSH Without Passwords" is a paragraph of "Using SSH
> from Active
> > >> Directory Machines for IdM Resources" which is about Kerberos
> I understand.
> > >>
> > >> My hope was to have AD's clients be able to ssh(and maybe get
> to other
> > >> things like Samba) without password and with Kerberos.
> > >>
> > >> I see IPA's users can do that between IPA's servers
> > >>
> > >> ...
> > >>
> > >> debug1: PAM: initializing for "tester1"
> > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> > >> debug1: PAM: setting PAM_TTY to "ssh"
> > >> debug1: userauth-request for user tester1 service
> ssh-connection method
> > >> gssapi-with-mic [preauth]
> > >> debug1: attempt 1 failures 0 [preauth]
> > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
> 43604 ssh2
> > >> [preauth]
> > >> debug1: Got no client credentials
> > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> > >> /home/tester1/.k5login
> > >> Authorized to tester1, krb5 principal tester1@private
> > >> (ssh_gssapi_krb5_cmdok)
> > >> debug1: do_pam_account: called
> > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
> 43604 ssh2
> > >> ...
> > >>
> > >> But a Win10Pro which is AD member which I'm trying, when ssh
> as AD's
> > >> user then I do not see above in the logs and such ssh(Win10
> own feature)
> > >> is asked for password.
> > >>
> > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> > >> members/clients with Kerberos if possible. (trust is already
> established
> > >> and running)
> > > Hi,
> > >
> > > having a trust is the first requirement. Second is a ssh
> client on the
> > > Windows side which can do GSSAPI authentication (recent
> version of putty
> > > can) and has GSSAPI authentication enabled (iirc this is not
> the default
> > > for putty, so you have to switch it on manually). Next is that
> you have
> > > to use the fully-qualified DNS name of the IPA client you want
> to login
> > > to. If all this is set and authentication still falls back to
> ask for a
> > > password plase check with the klist command on the Windows
> client in
> > > command.exe or the Powershell if you already got a service
> ticket for
> > > the IPA client. If this is missing please check if there is a
> > > cross-realm ticket, it has a principal starting with 'krbtgt/'
>