subject:"\[Freeipa\-users\] Re\: Windows Integration \- Using SSH Without Passwords"

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-03 Thread John Hearns via FreeIPA-users

Noting that MobaXterm supports GSSAPI  https://www.mobatek.net/
In the Settings/SSH you have a choice of SSH Library :
Native Windows MIT Kerberos Custom Library

On Fri, 31 May 2019 at 17:25, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On pe, 31 touko 2019, Sumit Bose via FreeIPA-users wrote:
> >On Fri, May 31, 2019 at 11:42:43AM -0300, Juan Pablo via FreeIPA-users
> wrote:
> >> Hi, first of all: GSSAPI is not imported on openssh for windows
> >> unfortunately. So you need to mandatory use putty to have GSSAPI
> kerberos
> >> passwordless from windows to linux domain.
> >
> >Thanks, good to know. Is there a reference for this or do you know from
> >your own experiments?
> There is an experimental build with GSSAPI/SSPI support:
> https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi
>
>
> >> second, from which system on the windows side are you trying to login?
> can
> >> you see if it works from the Active Directory server itself, please?
> IIRC,
> >> you will have to allow the host/pc to delegate kerberos credentials (on
> >> windows side). AD domain servers have kerberos ticket delegation
> enabled by
> >> default, regular pc/hosts dont. maybe this is the case...
> >
> >You are right that delegation is not enabled by default but for just
> >logging in this is not needed. For the login the client requests a
> >service ticket and only this service ticket is send to the server for
> >authentication. With delegation the Kerberos TGT (the ticket you get
> >with kinit) is forwarded to the server as well so that it can be used on
> >the remote host to authenticate against other services as well.
> >
> >bye,
> >Sumit
> >
> >>
> >> regards,
> >> JP
> >>
> >> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<
> >> freeipa-users@lists.fedorahosted.org>) escribió:
> >>
> >> > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users
> wrote:
> >> > > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> >> > > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
> FreeIPA-users
> >> > wrote:
> >> > > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> >> > > >>> lejeczek via FreeIPA-users wrote:
> >> > >  hi guys,
> >> > > 
> >> > >  reading official guide one may assume - I do - that "Using SSH
> >> > Without
> >> > >  Passwords" should work out-of-box (centos 7.6) - is such
> assumption
> >> > valid?
> >> > > 
> >> > >  For me this does not work - ssh still asks for passwords.
> >> > > 
> >> > >  If this is due to some failure/problem, then where to look and
> how
> >> > to
> >> > >  troubleshoot?
> >> > > >>> It's hard to know what you're doing, ssh from where to where,
> using
> >> > what?
> >> > > >>>
> >> > > >>> rob
> >> > > >> I made an assumption - which I see now was invalid - that some
> experts
> >> > > >> may know mentioned guide by heart and if I quoted something then
> the
> >> > > >> rest will be obvious - wrong, sorry.
> >> > > >>
> >> > > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from
> Active
> >> > > >> Directory Machines for IdM Resources" which is about Kerberos I
> >> > understand.
> >> > > >>
> >> > > >> My hope was to have AD's clients be able to ssh(and maybe get to
> other
> >> > > >> things like Samba) without password and with Kerberos.
> >> > > >>
> >> > > >> I see IPA's users can do that between IPA's servers
> >> > > >>
> >> > > >> ...
> >> > > >>
> >> > > >> debug1: PAM: initializing for "tester1"
> >> > > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> >> > > >> debug1: PAM: setting PAM_TTY to "ssh"
> >> > > >> debug1: userauth-request for user tester1 service ssh-connection
> >> > method
> >> > > >> gssapi-with-mic [preauth]
> >> > > >> debug1: attempt 1 failures 0 [preauth]
> >> > > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604
> ssh2
> >> > > >> [preauth]
> >> > > >> debug1: Got no client credentials
> >> > > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> >> > > >> /home/tester1/.k5login
> >> > > >> Authorized to tester1, krb5 principal tester1@private
> >> > > >> (ssh_gssapi_krb5_cmdok)
> >> > > >> debug1: do_pam_account: called
> >> > > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604
> ssh2
> >> > > >> ...
> >> > > >>
> >> > > >> But a Win10Pro which is AD member which I'm trying, when ssh as
> AD's
> >> > > >> user then I do not see above in the logs and such ssh(Win10 own
> >> > feature)
> >> > > >> is asked for password.
> >> > > >>
> >> > > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> >> > > >> members/clients with Kerberos if possible. (trust is already
> >> > established
> >> > > >> and running)
> >> > > > Hi,
> >> > > >
> >> > > > having a trust is the first requirement. Second is a ssh client
> on the
> >> > > > Windows side which can do GSSAPI authentication (recent version of
> >> > putty
> >> > > > can) and has GSSAPI authentic

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-01 Thread John Keates via FreeIPA-users


On *nix I’d test with klist etc to get information on what tickets I have and 
what those tickets are good for.
Perhaps you can do the same on Windows, figure out what tickets you actually 
have and what you can do with them.

John

> On 1 Jun 2019, at 13:04, lejeczek via FreeIPA-users 
>  wrote:
> 
> On 31/05/2019 15:42, Juan Pablo wrote:
>> Hi, first of all: GSSAPI is not imported on openssh for windows
>> unfortunately. So you need to mandatory use putty to have GSSAPI
>> kerberos passwordless from windows to linux domain.
>> 
>> second, from which system on the windows side are you trying to login?
>> can you see if it works from the Active Directory server itself,
>> please? IIRC, you will have to allow the host/pc to delegate kerberos
>> credentials (on windows side). AD domain servers have kerberos ticket
>> delegation enabled by default, regular pc/hosts dont. maybe this is
>> the case...
>> 
>> regards,
>> JP
> 
> I was hoping but was not sure, that nomorefood's stuff ended up in
> Windows version in the latest, thus I stressed, update of 1903, but,
> it's not there.
> 
> Putty I got from ssh.com (I'm not sure if this is the best place or best
> putty to get?) but this putty, on/off the AD server.. yes, works with
> gssapi and I see password-less authentication.
> 
> I thought I delegated Win10 client box to "Trust this computer for
> delegation of any service) in AD Users & Computers but... still password
> prompt. Any ideas, suggestions?
> 
> many thanks, L.
> 
>> 
>> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
>> (> >) escribió:
>> 
>>On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
>>FreeIPA-users wrote:
>>> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
 On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
>>FreeIPA-users wrote:
> On 23/05/2019 14:56, Rob Crittenden wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hi guys,
>>> 
>>> reading official guide one may assume - I do - that "Using
>>SSH Without
>>> Passwords" should work out-of-box (centos 7.6) - is such
>>assumption valid?
>>> 
>>> For me this does not work - ssh still asks for passwords.
>>> 
>>> If this is due to some failure/problem, then where to look
>>and how to
>>> troubleshoot?
>> It's hard to know what you're doing, ssh from where to
>>where, using what?
>> 
>> rob
> I made an assumption - which I see now was invalid - that
>>some experts
> may know mentioned guide by heart and if I quoted something
>>then the
> rest will be obvious - wrong, sorry.
> 
> "Using SSH Without Passwords" is a paragraph of "Using SSH
>>from Active
> Directory Machines for IdM Resources" which is about Kerberos
>>I understand.
> 
> My hope was to have AD's clients be able to ssh(and maybe get
>>to other
> things like Samba) without password and with Kerberos.
> 
> I see IPA's users can do that between IPA's servers
> 
> ...
> 
> debug1: PAM: initializing for "tester1"
> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user tester1 service
>>ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> [preauth]
> debug1: Got no client credentials
> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> /home/tester1/.k5login
> Authorized to tester1, krb5 principal tester1@private
> (ssh_gssapi_krb5_cmdok)
> debug1: do_pam_account: called
> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
>>43604 ssh2
> ...
> 
> But a Win10Pro which is AD member which I'm trying, when ssh
>>as AD's
> user then I do not see above in the logs and such ssh(Win10
>>own feature)
> is asked for password.
> 
> To sum up: AD's users off/from Win AD win-stations to IPA's
> members/clients with Kerberos if possible. (trust is already
>>established
> and running)
 Hi,
 
 having a trust is the first requirement. Second is a ssh
>>client on the
 Windows side which can do GSSAPI authentication (recent
>>version of putty
 can) and has GSSAPI authentication enabled (iirc this is not
>>the default
 for putty, so you have to switch it on manually). Next is that
>>you have
 to use the fully-qualified DNS name of the IPA client you want
>>to login
 to. If all this is set and authentication still falls back to
>>ask for a
 password plase check with the klist command on the Windows
>>client in
 command.exe or the Powershell if you already got a service
>>ticket for
 the IPA client. If this is missing please check if there is a
 cross-realm ticket, it has a

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-06-01 Thread lejeczek via FreeIPA-users

On 31/05/2019 15:42, Juan Pablo wrote:
> Hi, first of all: GSSAPI is not imported on openssh for windows
> unfortunately. So you need to mandatory use putty to have GSSAPI
> kerberos passwordless from windows to linux domain.
>
> second, from which system on the windows side are you trying to login?
> can you see if it works from the Active Directory server itself,
> please? IIRC, you will have to allow the host/pc to delegate kerberos
> credentials (on windows side). AD domain servers have kerberos ticket
> delegation enabled by default, regular pc/hosts dont. maybe this is
> the case...
>
> regards,
> JP

I was hoping but was not sure, that nomorefood's stuff ended up in
Windows version in the latest, thus I stressed, update of 1903, but,
it's not there.

Putty I got from ssh.com (I'm not sure if this is the best place or best
putty to get?) but this putty, on/off the AD server.. yes, works with
gssapi and I see password-less authentication.

I thought I delegated Win10 client box to "Trust this computer for
delegation of any service) in AD Users & Computers but... still password
prompt. Any ideas, suggestions?

many thanks, L.

>
> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
> ( >) escribió:
>
> On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
> FreeIPA-users wrote:
> > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
> FreeIPA-users wrote:
> > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> > >>> lejeczek via FreeIPA-users wrote:
> >  hi guys,
> > 
> >  reading official guide one may assume - I do - that "Using
> SSH Without
> >  Passwords" should work out-of-box (centos 7.6) - is such
> assumption valid?
> > 
> >  For me this does not work - ssh still asks for passwords.
> > 
> >  If this is due to some failure/problem, then where to look
> and how to
> >  troubleshoot?
> > >>> It's hard to know what you're doing, ssh from where to
> where, using what?
> > >>>
> > >>> rob
> > >> I made an assumption - which I see now was invalid - that
> some experts
> > >> may know mentioned guide by heart and if I quoted something
> then the
> > >> rest will be obvious - wrong, sorry.
> > >>
> > >> "Using SSH Without Passwords" is a paragraph of "Using SSH
> from Active
> > >> Directory Machines for IdM Resources" which is about Kerberos
> I understand.
> > >>
> > >> My hope was to have AD's clients be able to ssh(and maybe get
> to other
> > >> things like Samba) without password and with Kerberos.
> > >>
> > >> I see IPA's users can do that between IPA's servers
> > >>
> > >> ...
> > >>
> > >> debug1: PAM: initializing for "tester1"
> > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> > >> debug1: PAM: setting PAM_TTY to "ssh"
> > >> debug1: userauth-request for user tester1 service
> ssh-connection method
> > >> gssapi-with-mic [preauth]
> > >> debug1: attempt 1 failures 0 [preauth]
> > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
> 43604 ssh2
> > >> [preauth]
> > >> debug1: Got no client credentials
> > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> > >> /home/tester1/.k5login
> > >> Authorized to tester1, krb5 principal tester1@private
> > >> (ssh_gssapi_krb5_cmdok)
> > >> debug1: do_pam_account: called
> > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
> 43604 ssh2
> > >> ...
> > >>
> > >> But a Win10Pro which is AD member which I'm trying, when ssh
> as AD's
> > >> user then I do not see above in the logs and such ssh(Win10
> own feature)
> > >> is asked for password.
> > >>
> > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> > >> members/clients with Kerberos if possible. (trust is already
> established
> > >> and running)
> > > Hi,
> > >
> > > having a trust is the first requirement. Second is a ssh
> client on the
> > > Windows side which can do GSSAPI authentication (recent
> version of putty
> > > can) and has GSSAPI authentication enabled (iirc this is not
> the default
> > > for putty, so you have to switch it on manually). Next is that
> you have
> > > to use the fully-qualified DNS name of the IPA client you want
> to login
> > > to. If all this is set and authentication still falls back to
> ask for a
> > > password plase check with the klist command on the Windows
> client in
> > > command.exe or the Powershell if you already got a service
> ticket for
> > > the IPA client. If this is missing please check if there is a
> > > cross-realm ticket, it has a principal starting with 'krbtgt/'
>

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-31 Thread Alexander Bokovoy via FreeIPA-users


On pe, 31 touko 2019, Sumit Bose via FreeIPA-users wrote:

On Fri, May 31, 2019 at 11:42:43AM -0300, Juan Pablo via FreeIPA-users wrote:

Hi, first of all: GSSAPI is not imported on openssh for windows
unfortunately. So you need to mandatory use putty to have GSSAPI kerberos
passwordless from windows to linux domain.


Thanks, good to know. Is there a reference for this or do you know from
your own experiments?

There is an experimental build with GSSAPI/SSPI support:
https://github.com/NoMoreFood/openssh-portable/releases/tag/v7.9-sspi



second, from which system on the windows side are you trying to login? can
you see if it works from the Active Directory server itself, please? IIRC,
you will have to allow the host/pc to delegate kerberos credentials (on
windows side). AD domain servers have kerberos ticket delegation enabled by
default, regular pc/hosts dont. maybe this is the case...


You are right that delegation is not enabled by default but for just
logging in this is not needed. For the login the client requests a
service ticket and only this service ticket is send to the server for
authentication. With delegation the Kerberos TGT (the ticket you get
with kinit) is forwarded to the server as well so that it can be used on
the remote host to authenticate against other services as well.

bye,
Sumit



regards,
JP

El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<
freeipa-users@lists.fedorahosted.org>) escribió:

> On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
> > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users
> wrote:
> > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> > >>> lejeczek via FreeIPA-users wrote:
> >  hi guys,
> > 
> >  reading official guide one may assume - I do - that "Using SSH
> Without
> >  Passwords" should work out-of-box (centos 7.6) - is such assumption
> valid?
> > 
> >  For me this does not work - ssh still asks for passwords.
> > 
> >  If this is due to some failure/problem, then where to look and how
> to
> >  troubleshoot?
> > >>> It's hard to know what you're doing, ssh from where to where, using
> what?
> > >>>
> > >>> rob
> > >> I made an assumption - which I see now was invalid - that some experts
> > >> may know mentioned guide by heart and if I quoted something then the
> > >> rest will be obvious - wrong, sorry.
> > >>
> > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> > >> Directory Machines for IdM Resources" which is about Kerberos I
> understand.
> > >>
> > >> My hope was to have AD's clients be able to ssh(and maybe get to other
> > >> things like Samba) without password and with Kerberos.
> > >>
> > >> I see IPA's users can do that between IPA's servers
> > >>
> > >> ...
> > >>
> > >> debug1: PAM: initializing for "tester1"
> > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> > >> debug1: PAM: setting PAM_TTY to "ssh"
> > >> debug1: userauth-request for user tester1 service ssh-connection
> method
> > >> gssapi-with-mic [preauth]
> > >> debug1: attempt 1 failures 0 [preauth]
> > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > >> [preauth]
> > >> debug1: Got no client credentials
> > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> > >> /home/tester1/.k5login
> > >> Authorized to tester1, krb5 principal tester1@private
> > >> (ssh_gssapi_krb5_cmdok)
> > >> debug1: do_pam_account: called
> > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > >> ...
> > >>
> > >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> > >> user then I do not see above in the logs and such ssh(Win10 own
> feature)
> > >> is asked for password.
> > >>
> > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> > >> members/clients with Kerberos if possible. (trust is already
> established
> > >> and running)
> > > Hi,
> > >
> > > having a trust is the first requirement. Second is a ssh client on the
> > > Windows side which can do GSSAPI authentication (recent version of
> putty
> > > can) and has GSSAPI authentication enabled (iirc this is not the
> default
> > > for putty, so you have to switch it on manually). Next is that you have
> > > to use the fully-qualified DNS name of the IPA client you want to login
> > > to. If all this is set and authentication still falls back to ask for a
> > > password plase check with the klist command on the Windows client in
> > > command.exe or the Powershell if you already got a service ticket for
> > > the IPA client. If this is missing please check if there is a
> > > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> > > by the IPA realm, an '@' sign and the AD realm. If this is missing as
> > > well the issue is on the AD side and the client either does not try
> > > GSSAPI at all or it does not get a cross-realm ticket f

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-31 Thread Sumit Bose via FreeIPA-users

On Fri, May 31, 2019 at 11:42:43AM -0300, Juan Pablo via FreeIPA-users wrote:
> Hi, first of all: GSSAPI is not imported on openssh for windows
> unfortunately. So you need to mandatory use putty to have GSSAPI kerberos
> passwordless from windows to linux domain.

Thanks, good to know. Is there a reference for this or do you know from
your own experiments?

> 
> second, from which system on the windows side are you trying to login? can
> you see if it works from the Active Directory server itself, please? IIRC,
> you will have to allow the host/pc to delegate kerberos credentials (on
> windows side). AD domain servers have kerberos ticket delegation enabled by
> default, regular pc/hosts dont. maybe this is the case...

You are right that delegation is not enabled by default but for just
logging in this is not needed. For the login the client requests a
service ticket and only this service ticket is send to the server for
authentication. With delegation the Kerberos TGT (the ticket you get
with kinit) is forwarded to the server as well so that it can be used on
the remote host to authenticate against other services as well.

bye,
Sumit

> 
> regards,
> JP
> 
> El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<
> freeipa-users@lists.fedorahosted.org>) escribió:
> 
> > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
> > > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users
> > wrote:
> > > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> > > >>> lejeczek via FreeIPA-users wrote:
> > >  hi guys,
> > > 
> > >  reading official guide one may assume - I do - that "Using SSH
> > Without
> > >  Passwords" should work out-of-box (centos 7.6) - is such assumption
> > valid?
> > > 
> > >  For me this does not work - ssh still asks for passwords.
> > > 
> > >  If this is due to some failure/problem, then where to look and how
> > to
> > >  troubleshoot?
> > > >>> It's hard to know what you're doing, ssh from where to where, using
> > what?
> > > >>>
> > > >>> rob
> > > >> I made an assumption - which I see now was invalid - that some experts
> > > >> may know mentioned guide by heart and if I quoted something then the
> > > >> rest will be obvious - wrong, sorry.
> > > >>
> > > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> > > >> Directory Machines for IdM Resources" which is about Kerberos I
> > understand.
> > > >>
> > > >> My hope was to have AD's clients be able to ssh(and maybe get to other
> > > >> things like Samba) without password and with Kerberos.
> > > >>
> > > >> I see IPA's users can do that between IPA's servers
> > > >>
> > > >> ...
> > > >>
> > > >> debug1: PAM: initializing for "tester1"
> > > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> > > >> debug1: PAM: setting PAM_TTY to "ssh"
> > > >> debug1: userauth-request for user tester1 service ssh-connection
> > method
> > > >> gssapi-with-mic [preauth]
> > > >> debug1: attempt 1 failures 0 [preauth]
> > > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > > >> [preauth]
> > > >> debug1: Got no client credentials
> > > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> > > >> /home/tester1/.k5login
> > > >> Authorized to tester1, krb5 principal tester1@private
> > > >> (ssh_gssapi_krb5_cmdok)
> > > >> debug1: do_pam_account: called
> > > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > > >> ...
> > > >>
> > > >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> > > >> user then I do not see above in the logs and such ssh(Win10 own
> > feature)
> > > >> is asked for password.
> > > >>
> > > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> > > >> members/clients with Kerberos if possible. (trust is already
> > established
> > > >> and running)
> > > > Hi,
> > > >
> > > > having a trust is the first requirement. Second is a ssh client on the
> > > > Windows side which can do GSSAPI authentication (recent version of
> > putty
> > > > can) and has GSSAPI authentication enabled (iirc this is not the
> > default
> > > > for putty, so you have to switch it on manually). Next is that you have
> > > > to use the fully-qualified DNS name of the IPA client you want to login
> > > > to. If all this is set and authentication still falls back to ask for a
> > > > password plase check with the klist command on the Windows client in
> > > > command.exe or the Powershell if you already got a service ticket for
> > > > the IPA client. If this is missing please check if there is a
> > > > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> > > > by the IPA realm, an '@' sign and the AD realm. If this is missing as
> > > > well the issue is on the AD side and the client either does not try
> > > > GSSAPI at all or it does not get a cross-realm ticket

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-31 Thread Juan Pablo via FreeIPA-users

Hi, first of all: GSSAPI is not imported on openssh for windows
unfortunately. So you need to mandatory use putty to have GSSAPI kerberos
passwordless from windows to linux domain.

second, from which system on the windows side are you trying to login? can
you see if it works from the Active Directory server itself, please? IIRC,
you will have to allow the host/pc to delegate kerberos credentials (on
windows side). AD domain servers have kerberos ticket delegation enabled by
default, regular pc/hosts dont. maybe this is the case...

regards,
JP

El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<
freeipa-users@lists.fedorahosted.org>) escribió:

> On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
> > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users
> wrote:
> > >> On 23/05/2019 14:56, Rob Crittenden wrote:
> > >>> lejeczek via FreeIPA-users wrote:
> >  hi guys,
> > 
> >  reading official guide one may assume - I do - that "Using SSH
> Without
> >  Passwords" should work out-of-box (centos 7.6) - is such assumption
> valid?
> > 
> >  For me this does not work - ssh still asks for passwords.
> > 
> >  If this is due to some failure/problem, then where to look and how
> to
> >  troubleshoot?
> > >>> It's hard to know what you're doing, ssh from where to where, using
> what?
> > >>>
> > >>> rob
> > >> I made an assumption - which I see now was invalid - that some experts
> > >> may know mentioned guide by heart and if I quoted something then the
> > >> rest will be obvious - wrong, sorry.
> > >>
> > >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> > >> Directory Machines for IdM Resources" which is about Kerberos I
> understand.
> > >>
> > >> My hope was to have AD's clients be able to ssh(and maybe get to other
> > >> things like Samba) without password and with Kerberos.
> > >>
> > >> I see IPA's users can do that between IPA's servers
> > >>
> > >> ...
> > >>
> > >> debug1: PAM: initializing for "tester1"
> > >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> > >> debug1: PAM: setting PAM_TTY to "ssh"
> > >> debug1: userauth-request for user tester1 service ssh-connection
> method
> > >> gssapi-with-mic [preauth]
> > >> debug1: attempt 1 failures 0 [preauth]
> > >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > >> [preauth]
> > >> debug1: Got no client credentials
> > >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> > >> /home/tester1/.k5login
> > >> Authorized to tester1, krb5 principal tester1@private
> > >> (ssh_gssapi_krb5_cmdok)
> > >> debug1: do_pam_account: called
> > >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> > >> ...
> > >>
> > >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> > >> user then I do not see above in the logs and such ssh(Win10 own
> feature)
> > >> is asked for password.
> > >>
> > >> To sum up: AD's users off/from Win AD win-stations to IPA's
> > >> members/clients with Kerberos if possible. (trust is already
> established
> > >> and running)
> > > Hi,
> > >
> > > having a trust is the first requirement. Second is a ssh client on the
> > > Windows side which can do GSSAPI authentication (recent version of
> putty
> > > can) and has GSSAPI authentication enabled (iirc this is not the
> default
> > > for putty, so you have to switch it on manually). Next is that you have
> > > to use the fully-qualified DNS name of the IPA client you want to login
> > > to. If all this is set and authentication still falls back to ask for a
> > > password plase check with the klist command on the Windows client in
> > > command.exe or the Powershell if you already got a service ticket for
> > > the IPA client. If this is missing please check if there is a
> > > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> > > by the IPA realm, an '@' sign and the AD realm. If this is missing as
> > > well the issue is on the AD side and the client either does not try
> > > GSSAPI at all or it does not get a cross-realm ticket from the local
> DC.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> >
> > I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
> > (a member of win2016 AD domain).
> >
> > >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> > there I see a mention of IPA domain.
> >
> > That is after a one-way trust was established from IPA's side,
> > successfully. DNS seems to work, users seem to work.
> >
> > My setup IPA is subdomain of AD.
> >
> > Win10Pro is 1903 with openssh-client installed as/from optional feature.
> > I think it does support gssapi.
>
> I haven't tried this ssh client so far. But typically
> GSSAPIAuthentication is not enalbed by default for openssh clients. Have
> you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen
> s

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-27 Thread Sumit Bose via FreeIPA-users

On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
> >> On 23/05/2019 14:56, Rob Crittenden wrote:
> >>> lejeczek via FreeIPA-users wrote:
>  hi guys,
> 
>  reading official guide one may assume - I do - that "Using SSH Without
>  Passwords" should work out-of-box (centos 7.6) - is such assumption 
>  valid?
> 
>  For me this does not work - ssh still asks for passwords.
> 
>  If this is due to some failure/problem, then where to look and how to
>  troubleshoot?
> >>> It's hard to know what you're doing, ssh from where to where, using what?
> >>>
> >>> rob
> >> I made an assumption - which I see now was invalid - that some experts
> >> may know mentioned guide by heart and if I quoted something then the
> >> rest will be obvious - wrong, sorry.
> >>
> >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> >> Directory Machines for IdM Resources" which is about Kerberos I understand.
> >>
> >> My hope was to have AD's clients be able to ssh(and maybe get to other
> >> things like Samba) without password and with Kerberos.
> >>
> >> I see IPA's users can do that between IPA's servers
> >>
> >> ...
> >>
> >> debug1: PAM: initializing for "tester1"
> >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> >> debug1: PAM: setting PAM_TTY to "ssh"
> >> debug1: userauth-request for user tester1 service ssh-connection method
> >> gssapi-with-mic [preauth]
> >> debug1: attempt 1 failures 0 [preauth]
> >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> >> [preauth]
> >> debug1: Got no client credentials
> >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> >> /home/tester1/.k5login
> >> Authorized to tester1, krb5 principal tester1@private
> >> (ssh_gssapi_krb5_cmdok)
> >> debug1: do_pam_account: called
> >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> >> ...
> >>
> >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> >> user then I do not see above in the logs and such ssh(Win10 own feature)
> >> is asked for password.
> >>
> >> To sum up: AD's users off/from Win AD win-stations to IPA's
> >> members/clients with Kerberos if possible. (trust is already established
> >> and running)
> > Hi,
> >
> > having a trust is the first requirement. Second is a ssh client on the
> > Windows side which can do GSSAPI authentication (recent version of putty
> > can) and has GSSAPI authentication enabled (iirc this is not the default
> > for putty, so you have to switch it on manually). Next is that you have
> > to use the fully-qualified DNS name of the IPA client you want to login
> > to. If all this is set and authentication still falls back to ask for a
> > password plase check with the klist command on the Windows client in
> > command.exe or the Powershell if you already got a service ticket for
> > the IPA client. If this is missing please check if there is a
> > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> > by the IPA realm, an '@' sign and the AD realm. If this is missing as
> > well the issue is on the AD side and the client either does not try
> > GSSAPI at all or it does not get a cross-realm ticket from the local DC.
> >
> > HTH
> >
> > bye,
> > Sumit
> 
> I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
> (a member of win2016 AD domain).
> 
> >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> there I see a mention of IPA domain.
> 
> That is after a one-way trust was established from IPA's side,
> successfully. DNS seems to work, users seem to work.
> 
> My setup IPA is subdomain of AD.
> 
> Win10Pro is 1903 with openssh-client installed as/from optional feature.
> I think it does support gssapi.

I haven't tried this ssh client so far. But typically
GSSAPIAuthentication is not enalbed by default for openssh clients. Have
you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen
something GSSAPI related in the debug output?

> 
> After a trust is established - do we need to create groups & mappings
> for AD users for ssh/samba to work? Guide docs I saw I understand then
> these are only required when one needs HBAC, correct?

Yes.

> 
> How to start troubleshooting?
> 
> many thanks, L.
> 
> >> many thanks, L.
> >>
> >>
> >>
> >> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> >>   93059F2411D0769A85F455918ABF21224EBA
> >> uid   lejeczek 
> >> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> >> ___
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >> List Guidelines: https://fedoraproje

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-26 Thread John Keates via FreeIPA-users

For this to work, yes you need to setup AD Trust, and for HBAC to access the 
Linux systems, you need ID View user overrides.
Once you have verified basic password or ssh key login (set key in user 
override!) works, GSSAPI should be an easy next step.
Keep in mind that if you were to kinit on a linux node to an AD domain, you 
need to be able to talk kerberos to the AD systems, if they are firewall off, 
it doesn’t work.

John

> On 26 May 2019, at 14:42, lejeczek via FreeIPA-users 
>  wrote:
> 
> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
>> On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
>>> On 23/05/2019 14:56, Rob Crittenden wrote:
 lejeczek via FreeIPA-users wrote:
> hi guys,
> 
> reading official guide one may assume - I do - that "Using SSH Without
> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> 
> For me this does not work - ssh still asks for passwords.
> 
> If this is due to some failure/problem, then where to look and how to
> troubleshoot?
 It's hard to know what you're doing, ssh from where to where, using what?
 
 rob
>>> I made an assumption - which I see now was invalid - that some experts
>>> may know mentioned guide by heart and if I quoted something then the
>>> rest will be obvious - wrong, sorry.
>>> 
>>> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
>>> Directory Machines for IdM Resources" which is about Kerberos I understand.
>>> 
>>> My hope was to have AD's clients be able to ssh(and maybe get to other
>>> things like Samba) without password and with Kerberos.
>>> 
>>> I see IPA's users can do that between IPA's servers
>>> 
>>> ...
>>> 
>>> debug1: PAM: initializing for "tester1"
>>> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
>>> debug1: PAM: setting PAM_TTY to "ssh"
>>> debug1: userauth-request for user tester1 service ssh-connection method
>>> gssapi-with-mic [preauth]
>>> debug1: attempt 1 failures 0 [preauth]
>>> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>>> [preauth]
>>> debug1: Got no client credentials
>>> debug1: ssh_gssapi_k5login_exists: Checking existence of file
>>> /home/tester1/.k5login
>>> Authorized to tester1, krb5 principal tester1@private
>>> (ssh_gssapi_krb5_cmdok)
>>> debug1: do_pam_account: called
>>> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>>> ...
>>> 
>>> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
>>> user then I do not see above in the logs and such ssh(Win10 own feature)
>>> is asked for password.
>>> 
>>> To sum up: AD's users off/from Win AD win-stations to IPA's
>>> members/clients with Kerberos if possible. (trust is already established
>>> and running)
>> Hi,
>> 
>> having a trust is the first requirement. Second is a ssh client on the
>> Windows side which can do GSSAPI authentication (recent version of putty
>> can) and has GSSAPI authentication enabled (iirc this is not the default
>> for putty, so you have to switch it on manually). Next is that you have
>> to use the fully-qualified DNS name of the IPA client you want to login
>> to. If all this is set and authentication still falls back to ask for a
>> password plase check with the klist command on the Windows client in
>> command.exe or the Powershell if you already got a service ticket for
>> the IPA client. If this is missing please check if there is a
>> cross-realm ticket, it has a principal starting with 'krbtgt/' followed
>> by the IPA realm, an '@' sign and the AD realm. If this is missing as
>> well the issue is on the AD side and the client either does not try
>> GSSAPI at all or it does not get a cross-realm ticket from the local DC.
>> 
>> HTH
>> 
>> bye,
>> Sumit
> 
> I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
> (a member of win2016 AD domain).
> 
>> klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> there I see a mention of IPA domain.
> 
> That is after a one-way trust was established from IPA's side,
> successfully. DNS seems to work, users seem to work.
> 
> My setup IPA is subdomain of AD.
> 
> Win10Pro is 1903 with openssh-client installed as/from optional feature.
> I think it does support gssapi.
> 
> After a trust is established - do we need to create groups & mappings
> for AD users for ssh/samba to work? Guide docs I saw I understand then
> these are only required when one needs HBAC, correct?
> 
> How to start troubleshooting?
> 
> many thanks, L.
> 
>>> many thanks, L.
>>> 
>>> 
>>> 
>>> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>>  93059F2411D0769A85F455918ABF21224EBA
>>> uid   lejeczek 
>>> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-26 Thread lejeczek via FreeIPA-users

On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
>> On 23/05/2019 14:56, Rob Crittenden wrote:
>>> lejeczek via FreeIPA-users wrote:
 hi guys,

 reading official guide one may assume - I do - that "Using SSH Without
 Passwords" should work out-of-box (centos 7.6) - is such assumption valid?

 For me this does not work - ssh still asks for passwords.

 If this is due to some failure/problem, then where to look and how to
 troubleshoot?
>>> It's hard to know what you're doing, ssh from where to where, using what?
>>>
>>> rob
>> I made an assumption - which I see now was invalid - that some experts
>> may know mentioned guide by heart and if I quoted something then the
>> rest will be obvious - wrong, sorry.
>>
>> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
>> Directory Machines for IdM Resources" which is about Kerberos I understand.
>>
>> My hope was to have AD's clients be able to ssh(and maybe get to other
>> things like Samba) without password and with Kerberos.
>>
>> I see IPA's users can do that between IPA's servers
>>
>> ...
>>
>> debug1: PAM: initializing for "tester1"
>> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
>> debug1: PAM: setting PAM_TTY to "ssh"
>> debug1: userauth-request for user tester1 service ssh-connection method
>> gssapi-with-mic [preauth]
>> debug1: attempt 1 failures 0 [preauth]
>> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>> [preauth]
>> debug1: Got no client credentials
>> debug1: ssh_gssapi_k5login_exists: Checking existence of file
>> /home/tester1/.k5login
>> Authorized to tester1, krb5 principal tester1@private
>> (ssh_gssapi_krb5_cmdok)
>> debug1: do_pam_account: called
>> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
>> ...
>>
>> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
>> user then I do not see above in the logs and such ssh(Win10 own feature)
>> is asked for password.
>>
>> To sum up: AD's users off/from Win AD win-stations to IPA's
>> members/clients with Kerberos if possible. (trust is already established
>> and running)
> Hi,
>
> having a trust is the first requirement. Second is a ssh client on the
> Windows side which can do GSSAPI authentication (recent version of putty
> can) and has GSSAPI authentication enabled (iirc this is not the default
> for putty, so you have to switch it on manually). Next is that you have
> to use the fully-qualified DNS name of the IPA client you want to login
> to. If all this is set and authentication still falls back to ask for a
> password plase check with the klist command on the Windows client in
> command.exe or the Powershell if you already got a service ticket for
> the IPA client. If this is missing please check if there is a
> cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> by the IPA realm, an '@' sign and the AD realm. If this is missing as
> well the issue is on the AD side and the client either does not try
> GSSAPI at all or it does not get a cross-realm ticket from the local DC.
>
> HTH
>
> bye,
> Sumit

I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
(a member of win2016 AD domain).

>klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
there I see a mention of IPA domain.

That is after a one-way trust was established from IPA's side,
successfully. DNS seems to work, users seem to work.

My setup IPA is subdomain of AD.

Win10Pro is 1903 with openssh-client installed as/from optional feature.
I think it does support gssapi.

After a trust is established - do we need to create groups & mappings
for AD users for ssh/samba to work? Guide docs I saw I understand then
these are only required when one needs HBAC, correct?

How to start troubleshooting?

many thanks, L.

>> many thanks, L.
>>
>>
>>
>> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>   93059F2411D0769A85F455918ABF21224EBA
>> uid   lejeczek 
>> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-23 Thread Sumit Bose via FreeIPA-users

On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
> On 23/05/2019 14:56, Rob Crittenden wrote:
> > lejeczek via FreeIPA-users wrote:
> >> hi guys,
> >>
> >> reading official guide one may assume - I do - that "Using SSH Without
> >> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> >>
> >> For me this does not work - ssh still asks for passwords.
> >>
> >> If this is due to some failure/problem, then where to look and how to
> >> troubleshoot?
> > It's hard to know what you're doing, ssh from where to where, using what?
> >
> > rob
> 
> I made an assumption - which I see now was invalid - that some experts
> may know mentioned guide by heart and if I quoted something then the
> rest will be obvious - wrong, sorry.
> 
> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> Directory Machines for IdM Resources" which is about Kerberos I understand.
> 
> My hope was to have AD's clients be able to ssh(and maybe get to other
> things like Samba) without password and with Kerberos.
> 
> I see IPA's users can do that between IPA's servers
> 
> ...
> 
> debug1: PAM: initializing for "tester1"
> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user tester1 service ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> [preauth]
> debug1: Got no client credentials
> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> /home/tester1/.k5login
> Authorized to tester1, krb5 principal tester1@private
> (ssh_gssapi_krb5_cmdok)
> debug1: do_pam_account: called
> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> ...
> 
> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> user then I do not see above in the logs and such ssh(Win10 own feature)
> is asked for password.
> 
> To sum up: AD's users off/from Win AD win-stations to IPA's
> members/clients with Kerberos if possible. (trust is already established
> and running)

Hi,

having a trust is the first requirement. Second is a ssh client on the
Windows side which can do GSSAPI authentication (recent version of putty
can) and has GSSAPI authentication enabled (iirc this is not the default
for putty, so you have to switch it on manually). Next is that you have
to use the fully-qualified DNS name of the IPA client you want to login
to. If all this is set and authentication still falls back to ask for a
password plase check with the klist command on the Windows client in
command.exe or the Powershell if you already got a service ticket for
the IPA client. If this is missing please check if there is a
cross-realm ticket, it has a principal starting with 'krbtgt/' followed
by the IPA realm, an '@' sign and the AD realm. If this is missing as
well the issue is on the AD side and the client either does not try
GSSAPI at all or it does not get a cross-realm ticket from the local DC.

HTH

bye,
Sumit

> 
> many thanks, L.
> 
> 
> 

> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>   93059F2411D0769A85F455918ABF21224EBA
> uid   lejeczek 
> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-23 Thread lejeczek via FreeIPA-users

On 23/05/2019 14:56, Rob Crittenden wrote:
> lejeczek via FreeIPA-users wrote:
>> hi guys,
>>
>> reading official guide one may assume - I do - that "Using SSH Without
>> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
>>
>> For me this does not work - ssh still asks for passwords.
>>
>> If this is due to some failure/problem, then where to look and how to
>> troubleshoot?
> It's hard to know what you're doing, ssh from where to where, using what?
>
> rob

I made an assumption - which I see now was invalid - that some experts
may know mentioned guide by heart and if I quoted something then the
rest will be obvious - wrong, sorry.

"Using SSH Without Passwords" is a paragraph of "Using SSH from Active
Directory Machines for IdM Resources" which is about Kerberos I understand.

My hope was to have AD's clients be able to ssh(and maybe get to other
things like Samba) without password and with Kerberos.

I see IPA's users can do that between IPA's servers

...

debug1: PAM: initializing for "tester1"
debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user tester1 service ssh-connection method
gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
[preauth]
debug1: Got no client credentials
debug1: ssh_gssapi_k5login_exists: Checking existence of file
/home/tester1/.k5login
Authorized to tester1, krb5 principal tester1@private
(ssh_gssapi_krb5_cmdok)
debug1: do_pam_account: called
Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
...

But a Win10Pro which is AD member which I'm trying, when ssh as AD's
user then I do not see above in the logs and such ssh(Win10 own feature)
is asked for password.

To sum up: AD's users off/from Win AD win-stations to IPA's
members/clients with Kerberos if possible. (trust is already established
and running)

many thanks, L.

pEpkey.asc
Description: application/pgp-keys
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-23 Thread Angus Clarke via FreeIPA-users

I suspect OP is enquiring about ssh keys.

You need to tell your SSH client about your SSH private key (keep it safe) and 
paste the public component of your key pair into the SSH key field in the 
FreeIPA web admin screen for the user (the field is about a third of the way 
down the screen on the right.)

Each user needs their own SSH key pairs, they can be generated by running:

ssh-keygen

use -t to specify the type of key to create (ed25519 is the latest and greatest 
but not supported on systems prior to Centos 7.3 or thereabouts, if in doubt 
specify "dsa")

Regards
Angus

> On 23 May 2019 at 15:56 Rob Crittenden via FreeIPA-users 
>  wrote:
> 
> 
> lejeczek via FreeIPA-users wrote:
> > hi guys,
> > 
> > reading official guide one may assume - I do - that "Using SSH Without
> > Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> > 
> > For me this does not work - ssh still asks for passwords.
> > 
> > If this is due to some failure/problem, then where to look and how to
> > troubleshoot?
> It's hard to know what you're doing, ssh from where to where, using what?
> 
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

2019-05-23 Thread Rob Crittenden via FreeIPA-users

lejeczek via FreeIPA-users wrote:
> hi guys,
> 
> reading official guide one may assume - I do - that "Using SSH Without
> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> 
> For me this does not work - ssh still asks for passwords.
> 
> If this is due to some failure/problem, then where to look and how to
> troubleshoot?
It's hard to know what you're doing, ssh from where to where, using what?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

13 matches

Site Navigation

Mail list logo

Footer information