On Wed, Mar 29, 2023 at 5:01 PM Pieter Voet wrote:
> So, that should be it... I now have to get to the Active Directory
> department on my corporate environment and ask them to set the flag
> for me, because it seems that only Administrator can set the flag (
> if not customized ), even if you (
Hi Spike,
thanks a lot for your findings ! I appreciate your effort.
I also played around with the TRUSTED_FOR_DELEGATION flag on the machine
account, and yes
it looks like the behaviour is consistent.
( I had a case where I got a TGT without the TRUSTED_FOR_DELEGATION flag set on
the machine
Pieter,
Never mind. I am wrong. restarted sssd and waited for AD replication.
Setting TRUSTED_FOR_DELEGATION on the machine account is sufficient.
I now get a Kerberos cred when I SSH SSO (via Putty) onto Linux server.
Spike
On Tue, Mar 28, 2023 at 3:06 PM Spike White wrote:
> Pieter,
>
>
Pieter,
I was playing around with this also.I was setting
TRUSTED_FOR_DELEGATION on the machine account as well. And it was
accomplishing nothing.
I'm guessing it's the user's account that needs to have
TRUSTED_FOR_DELEGATION. Not the machine account.
So when you start putty, you start it
Hi James, thanks a lot for your interesting reply..
in order to investigate this issue, I've set up an Windows Server 2012
evaluation copy on my Linux laptop as an VM using QEMU.
With that, I also added two more VM's : a Windows 10 client and a Linux Fedora
37 server with sssd configured and
On Mon, Mar 27, 2023 at 4:02 PM Spike White wrote:
> Pieter,
>
> I have Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI ->
> credential delegation turned on in putty.
>
> As well as on the target Linux server, it has [libdefaults]
> forwardable = true. The error I get when I ssh in is:
>
>
Pieter,
I have Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI -> credential
delegation turned on in putty.
As well as on the target Linux server, it has [libdefaults] forwardable =
true. The error I get when I ssh in is:
[admspike_white@austgcore17 ~]$ klist
klist: Credentials cache
On the Windows laptop, I opened up a CMD windows and entered 'klist'..
All tickets listed there have Ticket Flags 'forwardable'..
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
On 27/03/2023 12:53, Pieter Voet wrote:
Hi Sam,
> Have you enabled Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI
credential delegation?
yes I did. That did not solve the issue, but since this is on a corporate AD
domain, I do not have the permission to
check if the Windows laptop has
Hi Sam,
> Have you enabled Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI
credential delegation?
yes I did. That did not solve the issue, but since this is on a corporate AD
domain, I do not have the permission to
check if the Windows laptop has 'Trust this computer for delegation to any
On 26/03/2023 22:31, Spike White wrote:
We use GSSAPI instead of GSS-SPNEGO for ssh SSO, but it should work the
same. This does not really involve sssd at all (for the
authentication). What happens is that your ssh daemon is
Kerberos-aware. So when it is presented with a Kerberos ticket,
Thanks for your elaboration on this Spike ! This'll help me understand the
functional picture ...
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of
Pieter,
We use GSSAPI instead of GSS-SPNEGO for ssh SSO, but it should work the
same. This does not really involve sssd at all (for the authentication).
What happens is that your ssh daemon is Kerberos-aware. So when it is
presented with a Kerberos ticket, the ssh daemon contacts the Kerberos
OK.. too stupid ! I forgot to clear the credentials using 'kdestroy -A'
before retrying with Putty..
so, the original problem is still there... I don't get a Kerberos ticket if
logging on to Linux from Windows using Putty.
___
sssd-users mailing
Well , Alexey triggered something in my head :-)
Since Putty behaviour was different than ssh, I started looking into the Putty
configuration...
and there we go ! In Settings -> Connection -> SSH -> Auth -> GSSAPI there
was an option
called 'Allow GSSAPI credential delegation' ...
enabling
Hi Alexey, thanks for responding !
I tried 'ssh' to logon.. I need to specifiy my (AD) password then, but yes,
after I'm logged on 'klist' succesfully lists my TGT. Cool !
But the goal here is to login using SSO from Windows to Linux using Putty. My
understanding is that SPNego is involved,
Hi,
On Fri, Mar 24, 2023 at 10:03 PM Pieter Voet wrote:
>
> Hi all,
>
> I have the same issue as was already reported here in 2016 :
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/3IQLPN4JLFQJDXN6G3HQH3SEZ2AGEEBE/
> however there was no reply given.
>
>
17 matches
Mail list logo