<div dir="ltr"><div>hi,<br><br></div>after succesfully configuring the trust between 2 different domains (IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows host to the linux host using the trusted kerberos tickets.<br>

<br>This is my krb.conf in the linux host:<br><br>includedir /var/lib/sss/pubconf/krb5.include.d/<br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log<br>

<br>[libdefaults]<br> default_realm = IPA.ASENJO.NX<br> dns_lookup_realm = false<br> dns_lookup_kdc = true<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[realms]<br> IPA.ASENJO.NX = {<br>  kdc = kdc.ipa.asenjo.nx:88<br>

  admin_server = kdc.ipa.asenjo.nx:749<br>  default_domain = ipa.asenjo.nx<br>  pkinit_anchors = FILE:/etc/ipa/ca.crt<br>  auth_to_local = RULE:[1:$1@$0](^.*@AD.ASENJO.NX$)s/@AD.ASENJO.NX/@ad.asenjo.nx/<br>  auth_to_local = DEFAULT<br>

}<br><br>[domain_realm]<br> .ipa.asenjo.nx = IPA.ASENJO.NX<br> ipa.asenjo.nx = IPA.ASENJO.NX<br><br>[dbmodules]<br>#  IPA.ASENJO.NX = {<br>#    db_library = kldap<br>#    ldap_servers = ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket<br>

#    ldap_kerberos_container_dn = cn=kerberos,dc=ipa,dc=asenjo,dc=nx<br>#    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx<br>#    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx<br>

#    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd<br>#  }<br><br>  IPA.ASENJO.NX = {<br>    db_library = ipadb.so<br>  }<br><br>and in /etc/sssd/sssd.conf<br><br>[sssd]<br>config_file_version = 2<br>services = nss, pam, ssh, pac<br>
<br>domains = ipa.asenjo.nx<br>[nss]<br><br>[pam]<br><br><br>[domain/ipa.asenjo.nx]<br>cache_credentials = True<br>krb5_store_password_if_offline = True<br>ipa_domain = ipa.asenjo.nx<br>id_provider = ipa<br>auth_provider = ipa<br>
access_provider = ipa<br>ipa_hostname = kdc.ipa.asenjo.nx<br>chpass_provider = ipa<br>ipa_server = kdc.ipa.asenjo.nx<br>ldap_tls_cacert = /etc/ipa/ca.crt<br>subdomains_provider = ipa<br><br>I restarted the server after this change<br>
<br>Then I created an external group like explained here:<br><a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html</a><br>
<br>And tried logging in using ssh with putty from the windows hosts (using the login Administrator@ad.asenjo.nx, with gss-api credentials delegation). Unfortunately it keeps asking me for a password for the user Administrator@ad.asenjo.nx@kdc.ipa.asenjo.nx, so it is adding the name of of the linux host to the login name.<br>
<br>Any help greatly appreciated.<br><br>-- <br>groet,<br>natxo<br><br><br clear="all"><div><div><div><div><div>--<br>Groeten,<br>natxo</div>
</div></div></div></div></div>