Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose 
On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote:
> I just had a long and fruitfull debugging session with Sumit and this is
> what we discovered.

Thank you for your patience and help to debug this issue.

> 
> The default settings do run fine for linux machines but for windows hosts
> they do not suffice. Sumit is submitting bug reports and hopefully they
> will be applied to the next 2.2.x release. This problem does not exist with
> version 3.x
> 
> The workaround for 2.2.x releases is:
> 
> For any target machine you want to enable forwarding tickets which have to
> be accessible with putty you will have to add the ok_as_delegate flag. To
> do that run the following commands on the ipa-server:
> 
> # ipa host-mod --addattr='objectclass=krbTicketPolicyAux'
> destinationhost.domain

Ticket https://fedorahosted.org/freeipa/ticket/3328 covers the missing
objectclass.

> # kadmin.local -q 'modprinc +ok_as_delegate
> host/destinationhost.domain@REALM'

https://fedorahosted.org/freeipa/ticket/3329 is a RFE to think about
how we want to handle this flag (and maybe Kerberos flags in general).

bye,
Sumit

> 
> So far I working tickets on the destination machine if I used centrify
> putty to log in. This didn't work with the stock version of putty allas.
> 
> 
> 
> # Han

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Han Boetes 
I just had a long and fruitfull debugging session with Sumit and this is
what we discovered.

The default settings do run fine for linux machines but for windows hosts
they do not suffice. Sumit is submitting bug reports and hopefully they
will be applied to the next 2.2.x release. This problem does not exist with
version 3.x

The workaround for 2.2.x releases is:

For any target machine you want to enable forwarding tickets which have to
be accessible with putty you will have to add the ok_as_delegate flag. To
do that run the following commands on the ipa-server:

# ipa host-mod --addattr='objectclass=krbTicketPolicyAux'
destinationhost.domain
# kadmin.local -q 'modprinc +ok_as_delegate
host/destinationhost.domain@REALM'

So far I working tickets on the destination machine if I used centrify
putty to log in. This didn't work with the stock version of putty allas.



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose 
On Mon, Jan 07, 2013 at 09:56:42AM +0100, Han Boetes wrote:
> There was something going on with a firewall blocking something and that
> windows host didn't have a cert yet. But still:
> 
> Using Kerberos authentication
> Using principal fh@REALM
> Got host ticket host/test-server-ipa.domain@REALM
> Using username "fh".
> Successful Kerberos connection
> Last login: Mon Jan  7 07:38:19 2013 from ipa-w7.domain
> [fh@test-server-ipa ~]$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)
> 
> klist on the host shows all tickets are forwordable and the forwarding
> option in both putty versions is on.

yes, but the other flag is used by Windows to check if the target
service can be trusted, see e.g. the 'How do I use delegation?' section
on http://support.microsoft.com/kb/266080 .

> 
> Which version of FreeIPA are you using? There are issues in older
> > version which prevents kadmin.local from working.
> >
> 
> The default stable:
> 
> [root@auth-ipa ssl_for_ipa-w7]# rpm -qa |grep ipa-
> ipa-client-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
> 

I'll set up a server and check why kadmin.local is not working.

bye,
Sumit

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Han Boetes 
There was something going on with a firewall blocking something and that
windows host didn't have a cert yet. But still:

Using Kerberos authentication
Using principal fh@REALM
Got host ticket host/test-server-ipa.domain@REALM
Using username "fh".
Successful Kerberos connection
Last login: Mon Jan  7 07:38:19 2013 from ipa-w7.domain
[fh@test-server-ipa ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)

klist on the host shows all tickets are forwordable and the forwarding
option in both putty versions is on.

Which version of FreeIPA are you using? There are issues in older
> version which prevents kadmin.local from working.
>

The default stable:

[root@auth-ipa ssl_for_ipa-w7]# rpm -qa |grep ipa-
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64


On Mon, Jan 7, 2013 at 9:38 AM, Sumit Bose  wrote:

> On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote:
> > On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose  wrote:
> >
> > > About delegating credentials, you might need to set the ok_as_delegate
> > > flag on the host/* service ticket. To do this you can call kadmin.local
> > > on the IPA server and then use
> > >
> > > modprinc +ok_as_delegate host/test-server-ipa.realm@REALM
> > >
> > > to set the flag.
> > >
> >
> > I don't know why this host would have this flag set differently from
> other
>
> Does it mean there are other windows hosts where delegation already
> works as expected? AFAIK the Linux OpenSSH client does not check
> this flag and forwards the credentials depending on the command line
> options, but it looks like putty on Windows checks this flag.
>
> > hosts. And I get this error while trying to set or unset this flag.
> >
> > kadmin.local:  modprinc +ok_as_delegate host/ipa-w7.domain@REALM
> > modify_principal: Kerberos database internal error while modifying
> > "host/ipa-w7.domain@REALM
> >
> > For any other host as well BTW. I can't find anything relevant in the log
> > files.
>
> Which version of FreeIPA are you using? There are issues in older
> version which prevents kadmin.local from working.
>
> bye,
> Sumit
>
> >
> > --
> >
> >
> >
> > # Han
>



-- 



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose 
On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote:
> On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose  wrote:
> 
> > About delegating credentials, you might need to set the ok_as_delegate
> > flag on the host/* service ticket. To do this you can call kadmin.local
> > on the IPA server and then use
> >
> > modprinc +ok_as_delegate host/test-server-ipa.realm@REALM
> >
> > to set the flag.
> >
> 
> I don't know why this host would have this flag set differently from other

Does it mean there are other windows hosts where delegation already
works as expected? AFAIK the Linux OpenSSH client does not check
this flag and forwards the credentials depending on the command line
options, but it looks like putty on Windows checks this flag.

> hosts. And I get this error while trying to set or unset this flag.
> 
> kadmin.local:  modprinc +ok_as_delegate host/ipa-w7.domain@REALM
> modify_principal: Kerberos database internal error while modifying
> "host/ipa-w7.domain@REALM
> 
> For any other host as well BTW. I can't find anything relevant in the log
> files.

Which version of FreeIPA are you using? There are issues in older
version which prevents kadmin.local from working.

bye,
Sumit

> 
> -- 
> 
> 
> 
> # Han

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Han Boetes 
On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose  wrote:

> About delegating credentials, you might need to set the ok_as_delegate
> flag on the host/* service ticket. To do this you can call kadmin.local
> on the IPA server and then use
>
> modprinc +ok_as_delegate host/test-server-ipa.realm@REALM
>
> to set the flag.
>

I don't know why this host would have this flag set differently from other
hosts. And I get this error while trying to set or unset this flag.

kadmin.local:  modprinc +ok_as_delegate host/ipa-w7.domain@REALM
modify_principal: Kerberos database internal error while modifying
"host/ipa-w7.domain@REALM

For any other host as well BTW. I can't find anything relevant in the log
files.

-- 



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Sumit Bose 
On Fri, Jan 04, 2013 at 04:56:18PM +0100, Han Boetes wrote:
> Your information about the quest putty version seems to be outdated. ;-)
> 
> Quest Softare no longer maintains recent releases of PuTTY. To obtain the
> latest stable release of PuTTY please goto PuTTY Download Page
> * The functionality that was provided by Quest Software's PuTTY packages
> have now been included in the latest releases of PuTTY, making Quest PuTTY
> obsolete.
> 
> 
> I'm testdriving the centrify version at the moment and...

I just downloaded Centrify's version of putty and it is working fine for
me.

About delegating credentials, you might need to set the ok_as_delegate
flag on the host/* service ticket. To do this you can call kadmin.local
on the IPA server and then use

modprinc +ok_as_delegate host/test-server-ipa.realm@REALM

to set the flag.

bye,
Sumit

> 
> ~/debug% cat ~/out
> Using Kerberos authentication
> Using principal fh@REALM
> Got host ticket host/test-server-ipa.domain@REALM
> login as fh@REALM
> 
> Kerberos authentication failed.  Please check
> 1) Unix login name is correct
> 2) Target service principal name is correct
> 3) Kerberos authentication is enabled in SSH server
> 4) Clock in the host is syncrhonized with the clock in AD
> 
> fh@REALM@test-server-ipa's password:
> Last login: Fri Jan  4 14:51:25 2013 from ipa-w7.domain
> [fh@test-server-ipa ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465
> Default principal: fh@REALM
> 
> Valid starting ExpiresService principal
> 01/04/13 14:52:49  01/05/13 14:52:49  krbtgt/REALM@REALM
> [fh@test-server-ipa ~]$
> 
> That's does provide a valid ticket but not a passwordless login. Actually I
> have to enter a pass twice here!
> 
> 
> 
> 
> 
> On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose  wrote:
> 
> > On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> > > You are absolutely right; the credentials aren't forwarded.
> > >
> > > I have enabled the option "allow gssapi credential delegation". So one
> > > would expect that it should work.
> > >
> > > I just installed the mit kerberos tools and I can see all the options and
> > > forwarding tickets is allowed according to the interface. Also putty is
> > now
> > > using the mit kerberos dll; gssapi32.dll and still I get the same
> > results.
> > >
> > > So the proper question is: how do I get putty to really forward the
> > > credentials?
> >
> > This might be an issue with your putty version. Can you try Quest's
> > version of putty http://rc.quest.com/topics/putty/ , if you are not
> > already using it?
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > >
> > > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden 
> > wrote:
> > >
> > > > Han Boetes wrote:
> > > >
> > > >> I've set up windows with the instructions given over here:
> > > >>
> > > >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<
> > http://freeipa.com/page/Windows_authentication_against_FreeIPA>
> > > >>
> > > >> And all seems to be working fine. After I run klist I see valid
> > tickets:
> > > >>
> > > >> Microsoft Windows [Version 6.1.7601]
> > > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> > > >>
> > > >> C:\Users\fh>klist
> > > >>
> > > >> Aktuelle Anmelde-ID ist 0:0x153b25
> > > >>
> > > >> Zwischengespeicherte Tickets: (1)
> > > >>
> > > >> #0> Client: fh @ REALM
> > > >>  Server: krbtgt/REALM @ REALM
> > > >>  KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> > > >>  Ticketkennzeichen 0x40e1 -> forwardable renewable initial
> > > >> pre_authen
> > > >> t name_canonicalize
> > > >>  Startzeit: 1/4/2013 14:03:11 (lokal)
> > > >>  Endzeit:   1/5/2013 14:03:11 (lokal)
> > > >>  Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> > > >>  Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> > > >>
> > > >>
> > > >> I can do a passwordless login with the latest putty with kerberos
> > > >> authentication,  I disabled password and key logins. And then on the
> > > >> host I checked klist and got this:
> > > >>
> > > >> [fh@test-server-ipa ~]$ klist
> > > >> klist: No credentials cache found (ticket cache
> > > >> FILE:/tmp/krb5cc_1554800011)
> > > >>
> > > >> sudo also doesn't work. To test the setup I did the same from linux
> > host
> > > >> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> > > >> -d output difference and the only difference I see is:
> > > >>
> > > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> > > >> -debug1: Received some client credentials
> > > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> > > >> +debug1: Got no client credentials
> > > >>
> > > >> Where .73 is the linux host and .56 is the windows host.
> > > >>
> > > >> What am I missing here?
> > > >>
> > > >
> > > > The problem isn't that authentication fails, it is that the credentials
> > > > aren't forwarded, right?
> > > >
> > > > Does putty support thi

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Erinn Looney-Triggs 
On 01/04/13 06:56, Han Boetes wrote:
> Your information about the quest putty version seems to be outdated. ;-)
> 
> Quest Softare no longer maintains recent releases of PuTTY. To obtain
> the latest stable release of PuTTY please goto PuTTY Download Page
> * The functionality that was provided by Quest Software's PuTTY packages
> have now been included in the latest releases of PuTTY, making Quest
> PuTTY obsolete.
> 
> 
> I'm testdriving the centrify version at the moment and...
> 
> ~/debug% cat ~/out 
> Using Kerberos authentication
> Using principal fh@REALM
> Got host ticket host/test-server-ipa.domain@REALM
> login as fh@REALM
> 
> Kerberos authentication failed.  Please check
> 1) Unix login name is correct
> 2) Target service principal name is correct
> 3) Kerberos authentication is enabled in SSH server
> 4) Clock in the host is syncrhonized with the clock in AD
> 
> fh@REALM@test-server-ipa's password:
> Last login: Fri Jan  4 14:51:25 2013 from ipa-w7.domain
> [fh@test-server-ipa ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465
> Default principal: fh@REALM
> 
> Valid starting ExpiresService principal
> 01/04/13 14:52:49  01/05/13 14:52:49  krbtgt/REALM@REALM
> [fh@test-server-ipa ~]$
> 
> That's does provide a valid ticket but not a passwordless login.
> Actually I have to enter a pass twice here!
> 
> 
> 
> 
> 
> On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose  > wrote:
> 
> On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> > You are absolutely right; the credentials aren't forwarded.
> >
> > I have enabled the option "allow gssapi credential delegation". So one
> > would expect that it should work.
> >
> > I just installed the mit kerberos tools and I can see all the
> options and
> > forwarding tickets is allowed according to the interface. Also
> putty is now
> > using the mit kerberos dll; gssapi32.dll and still I get the same
> results.
> >
> > So the proper question is: how do I get putty to really forward the
> > credentials?
> 
> This might be an issue with your putty version. Can you try Quest's
> version of putty http://rc.quest.com/topics/putty/ , if you are not
> already using it?
> 
> HTH
> 
> bye,
> Sumit
> 
> >
> >
> > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden
> mailto:rcrit...@redhat.com>> wrote:
> >
> > > Han Boetes wrote:
> > >
> > >> I've set up windows with the instructions given over here:
> > >>
> > >>
> 
> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA
> > >>
> > >> And all seems to be working fine. After I run klist I see valid
> tickets:
> > >>
> > >> Microsoft Windows [Version 6.1.7601]
> > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> > >>
> > >> C:\Users\fh>klist
> > >>
> > >> Aktuelle Anmelde-ID ist 0:0x153b25
> > >>
> > >> Zwischengespeicherte Tickets: (1)
> > >>
> > >> #0> Client: fh @ REALM
> > >>  Server: krbtgt/REALM @ REALM
> > >>  KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> > >>  Ticketkennzeichen 0x40e1 -> forwardable renewable
> initial
> > >> pre_authen
> > >> t name_canonicalize
> > >>  Startzeit: 1/4/2013 14:03:11 (lokal)
> > >>  Endzeit:   1/5/2013 14:03:11 (lokal)
> > >>  Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> > >>  Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> > >>
> > >>
> > >> I can do a passwordless login with the latest putty with kerberos
> > >> authentication,  I disabled password and key logins. And then
> on the
> > >> host I checked klist and got this:
> > >>
> > >> [fh@test-server-ipa ~]$ klist
> > >> klist: No credentials cache found (ticket cache
> > >> FILE:/tmp/krb5cc_1554800011)
> > >>
> > >> sudo also doesn't work. To test the setup I did the same from
> linux host
> > >> and login in, sudo, klist etc etc all work fine. So I checked
> the sshd
> > >> -d output difference and the only difference I see is:
> > >>
> > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> > >> -debug1: Received some client credentials
> > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> > >> +debug1: Got no client credentials
> > >>
> > >> Where .73 is the linux host and .56 is the windows host.
> > >>
> > >> What am I missing here?
> > >>
> > >
> > > The problem isn't that authentication fails, it is that the
> credentials
> > > aren't forwarded, right?
> > >
> > > Does putty support this?
> > >
> > > rob
> > >
> > >
> >
> >
> > --
> >
> >
> >
> > # Han
> 
>

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Han Boetes 
Your information about the quest putty version seems to be outdated. ;-)

Quest Softare no longer maintains recent releases of PuTTY. To obtain the
latest stable release of PuTTY please goto PuTTY Download Page
* The functionality that was provided by Quest Software's PuTTY packages
have now been included in the latest releases of PuTTY, making Quest PuTTY
obsolete.


I'm testdriving the centrify version at the moment and...

~/debug% cat ~/out
Using Kerberos authentication
Using principal fh@REALM
Got host ticket host/test-server-ipa.domain@REALM
login as fh@REALM

Kerberos authentication failed.  Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD

fh@REALM@test-server-ipa's password:
Last login: Fri Jan  4 14:51:25 2013 from ipa-w7.domain
[fh@test-server-ipa ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465
Default principal: fh@REALM

Valid starting ExpiresService principal
01/04/13 14:52:49  01/05/13 14:52:49  krbtgt/REALM@REALM
[fh@test-server-ipa ~]$

That's does provide a valid ticket but not a passwordless login. Actually I
have to enter a pass twice here!





On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose  wrote:

> On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> > You are absolutely right; the credentials aren't forwarded.
> >
> > I have enabled the option "allow gssapi credential delegation". So one
> > would expect that it should work.
> >
> > I just installed the mit kerberos tools and I can see all the options and
> > forwarding tickets is allowed according to the interface. Also putty is
> now
> > using the mit kerberos dll; gssapi32.dll and still I get the same
> results.
> >
> > So the proper question is: how do I get putty to really forward the
> > credentials?
>
> This might be an issue with your putty version. Can you try Quest's
> version of putty http://rc.quest.com/topics/putty/ , if you are not
> already using it?
>
> HTH
>
> bye,
> Sumit
>
> >
> >
> > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden 
> wrote:
> >
> > > Han Boetes wrote:
> > >
> > >> I've set up windows with the instructions given over here:
> > >>
> > >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<
> http://freeipa.com/page/Windows_authentication_against_FreeIPA>
> > >>
> > >> And all seems to be working fine. After I run klist I see valid
> tickets:
> > >>
> > >> Microsoft Windows [Version 6.1.7601]
> > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> > >>
> > >> C:\Users\fh>klist
> > >>
> > >> Aktuelle Anmelde-ID ist 0:0x153b25
> > >>
> > >> Zwischengespeicherte Tickets: (1)
> > >>
> > >> #0> Client: fh @ REALM
> > >>  Server: krbtgt/REALM @ REALM
> > >>  KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> > >>  Ticketkennzeichen 0x40e1 -> forwardable renewable initial
> > >> pre_authen
> > >> t name_canonicalize
> > >>  Startzeit: 1/4/2013 14:03:11 (lokal)
> > >>  Endzeit:   1/5/2013 14:03:11 (lokal)
> > >>  Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> > >>  Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> > >>
> > >>
> > >> I can do a passwordless login with the latest putty with kerberos
> > >> authentication,  I disabled password and key logins. And then on the
> > >> host I checked klist and got this:
> > >>
> > >> [fh@test-server-ipa ~]$ klist
> > >> klist: No credentials cache found (ticket cache
> > >> FILE:/tmp/krb5cc_1554800011)
> > >>
> > >> sudo also doesn't work. To test the setup I did the same from linux
> host
> > >> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> > >> -d output difference and the only difference I see is:
> > >>
> > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> > >> -debug1: Received some client credentials
> > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> > >> +debug1: Got no client credentials
> > >>
> > >> Where .73 is the linux host and .56 is the windows host.
> > >>
> > >> What am I missing here?
> > >>
> > >
> > > The problem isn't that authentication fails, it is that the credentials
> > > aren't forwarded, right?
> > >
> > > Does putty support this?
> > >
> > > rob
> > >
> > >
> >
> >
> > --
> >
> >
> >
> > # Han
>
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Sumit Bose 
On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> You are absolutely right; the credentials aren't forwarded.
> 
> I have enabled the option "allow gssapi credential delegation". So one
> would expect that it should work.
> 
> I just installed the mit kerberos tools and I can see all the options and
> forwarding tickets is allowed according to the interface. Also putty is now
> using the mit kerberos dll; gssapi32.dll and still I get the same results.
> 
> So the proper question is: how do I get putty to really forward the
> credentials?

This might be an issue with your putty version. Can you try Quest's
version of putty http://rc.quest.com/topics/putty/ , if you are not
already using it?

HTH

bye,
Sumit

> 
> 
> On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden  wrote:
> 
> > Han Boetes wrote:
> >
> >> I've set up windows with the instructions given over here:
> >>
> >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA
> >>
> >> And all seems to be working fine. After I run klist I see valid tickets:
> >>
> >> Microsoft Windows [Version 6.1.7601]
> >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> >>
> >> C:\Users\fh>klist
> >>
> >> Aktuelle Anmelde-ID ist 0:0x153b25
> >>
> >> Zwischengespeicherte Tickets: (1)
> >>
> >> #0> Client: fh @ REALM
> >>  Server: krbtgt/REALM @ REALM
> >>  KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> >>  Ticketkennzeichen 0x40e1 -> forwardable renewable initial
> >> pre_authen
> >> t name_canonicalize
> >>  Startzeit: 1/4/2013 14:03:11 (lokal)
> >>  Endzeit:   1/5/2013 14:03:11 (lokal)
> >>  Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> >>  Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> >>
> >>
> >> I can do a passwordless login with the latest putty with kerberos
> >> authentication,  I disabled password and key logins. And then on the
> >> host I checked klist and got this:
> >>
> >> [fh@test-server-ipa ~]$ klist
> >> klist: No credentials cache found (ticket cache
> >> FILE:/tmp/krb5cc_1554800011)
> >>
> >> sudo also doesn't work. To test the setup I did the same from linux host
> >> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> >> -d output difference and the only difference I see is:
> >>
> >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> >> -debug1: Received some client credentials
> >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> >> +debug1: Got no client credentials
> >>
> >> Where .73 is the linux host and .56 is the windows host.
> >>
> >> What am I missing here?
> >>
> >
> > The problem isn't that authentication fails, it is that the credentials
> > aren't forwarded, right?
> >
> > Does putty support this?
> >
> > rob
> >
> >
> 
> 
> -- 
> 
> 
> 
> # Han

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Han Boetes 
You are absolutely right; the credentials aren't forwarded.

I have enabled the option "allow gssapi credential delegation". So one
would expect that it should work.

I just installed the mit kerberos tools and I can see all the options and
forwarding tickets is allowed according to the interface. Also putty is now
using the mit kerberos dll; gssapi32.dll and still I get the same results.

So the proper question is: how do I get putty to really forward the
credentials?


On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden  wrote:

> Han Boetes wrote:
>
>> I've set up windows with the instructions given over here:
>>
>> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA
>>
>> And all seems to be working fine. After I run klist I see valid tickets:
>>
>> Microsoft Windows [Version 6.1.7601]
>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>
>> C:\Users\fh>klist
>>
>> Aktuelle Anmelde-ID ist 0:0x153b25
>>
>> Zwischengespeicherte Tickets: (1)
>>
>> #0> Client: fh @ REALM
>>  Server: krbtgt/REALM @ REALM
>>  KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
>>  Ticketkennzeichen 0x40e1 -> forwardable renewable initial
>> pre_authen
>> t name_canonicalize
>>  Startzeit: 1/4/2013 14:03:11 (lokal)
>>  Endzeit:   1/5/2013 14:03:11 (lokal)
>>  Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
>>  Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
>>
>>
>> I can do a passwordless login with the latest putty with kerberos
>> authentication,  I disabled password and key logins. And then on the
>> host I checked klist and got this:
>>
>> [fh@test-server-ipa ~]$ klist
>> klist: No credentials cache found (ticket cache
>> FILE:/tmp/krb5cc_1554800011)
>>
>> sudo also doesn't work. To test the setup I did the same from linux host
>> and login in, sudo, klist etc etc all work fine. So I checked the sshd
>> -d output difference and the only difference I see is:
>>
>> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
>> -debug1: Received some client credentials
>> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
>> +debug1: Got no client credentials
>>
>> Where .73 is the linux host and .56 is the windows host.
>>
>> What am I missing here?
>>
>
> The problem isn't that authentication fails, it is that the credentials
> aren't forwarded, right?
>
> Does putty support this?
>
> rob
>
>


-- 



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Rob Crittenden 

Han Boetes wrote:

I've set up windows with the instructions given over here:

http://freeipa.com/page/Windows_authentication_against_FreeIPA

And all seems to be working fine. After I run klist I see valid tickets:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\fh>klist

Aktuelle Anmelde-ID ist 0:0x153b25

Zwischengespeicherte Tickets: (1)

#0> Client: fh @ REALM
 Server: krbtgt/REALM @ REALM
 KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
 Ticketkennzeichen 0x40e1 -> forwardable renewable initial
pre_authen
t name_canonicalize
 Startzeit: 1/4/2013 14:03:11 (lokal)
 Endzeit:   1/5/2013 14:03:11 (lokal)
 Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
 Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96


I can do a passwordless login with the latest putty with kerberos
authentication,  I disabled password and key logins. And then on the
host I checked klist and got this:

[fh@test-server-ipa ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)

sudo also doesn't work. To test the setup I did the same from linux host
and login in, sudo, klist etc etc all work fine. So I checked the sshd
-d output difference and the only difference I see is:

-Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
-debug1: Received some client credentials
+Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
+debug1: Got no client credentials

Where .73 is the linux host and .56 is the windows host.

What am I missing here?


The problem isn't that authentication fails, it is that the credentials 
aren't forwarded, right?


Does putty support this?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Han Boetes 
I've set up windows with the instructions given over here:

http://freeipa.com/page/Windows_authentication_against_FreeIPA

And all seems to be working fine. After I run klist I see valid tickets:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\fh>klist

Aktuelle Anmelde-ID ist 0:0x153b25

Zwischengespeicherte Tickets: (1)

#0> Client: fh @ REALM
Server: krbtgt/REALM @ REALM
KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
Ticketkennzeichen 0x40e1 -> forwardable renewable initial
pre_authen
t name_canonicalize
Startzeit: 1/4/2013 14:03:11 (lokal)
Endzeit:   1/5/2013 14:03:11 (lokal)
Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96


I can do a passwordless login with the latest putty with kerberos
authentication,  I disabled password and key logins. And then on the host I
checked klist and got this:

[fh@test-server-ipa ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)

sudo also doesn't work. To test the setup I did the same from linux host
and login in, sudo, klist etc etc all work fine. So I checked the sshd -d
output difference and the only difference I see is:

-Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2


-debug1: Received some client credentials


+Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2


+debug1: Got no client credentials



Where .73 is the linux host and .56 is the windows host.

What am I missing here?


-- 



# Han
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users