[Freeipa-users] Configuring Client SSH Access Failure

John Robert Mendoza jrobertm8 at yahoo.com
Sat Jan 23 13:21:02 UTC 2010 

>From what I understand from your email, 

You don't have kerberos credentials that's why its complaining about not being able to read the file /tmp/krb5cc_0. 

Firstly, do the admin account in ipaclient.example.com exist. And if so, can you get a kerberos ticket for admin from node.example.com. 

You should have a minimally working kerberos client configuration for node.example.com i.e. krb5.conf.  

John Robert Mendoza

--- On Sat, 1/23/10, Michael Kang <wxiluo at gmail.com> wrote:

From: Michael Kang <wxiluo at gmail.com>
Subject: Re: [Freeipa-users] Configuring Client SSH Access Failure
To: "Scott" <scott.kaminski at gmail.com>
Cc: "freeipa-users" <freeipa-users at redhat.com>
Date: Saturday, 23 January, 2010, 1:12 PM

DNS is OK.

I run kinit on client.example.com.
Access client.example.com from node.example.com:

ssh -v admin at client.example.com
debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit on node.example.com, so there is such file. But I can find it on the client.example.com.


Can node.example.com access client.example.com without any ipa configuration?

Do I need to install ipa-client on the node.example.com? The document is wrong?


On Sat, Jan 23, 2010 at 11:54 AM, Scott <scott.kaminski at gmail.com> wrote:


first I would verify that dns is functional both forward and reverse. 
If that is okay try doing a kinit first then try to connect. 

Sent from my iPhone

On Jan 22, 2010, at 7:34 PM, Michael Kang <wxiluo at gmail.com> wrote:


Hi all,

I'm trying to configure client ssh access on Fedora 12 and I can't access ipaclient without password.

I'm following this document:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html



At the end of this document:

			The IPA client should now be fully configured to accept incoming SSH connections and authenticate with the user's Kerberos
credentials. Use the following command on another machine to test the
configuration. This should succeed without asking for a password. 
			 # ssh admin at ipaclient.example.com 
		As I see it, another machine don't need to install any ipa software and it can access ipaclient without password.

I have three Fedora machine:
ipa.example.com(IPA Server)

client.example.com(IPA Client)node.example.com(another machine which was not installed ipa-client or ipa-server)
The client.example.com can access ipa.example.com without password. But the node.example.com can't access client.example.com.



Do I misunderstand the document or configure incorrect?

Thanks,
Michael

-- 
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.



Personal blog: http://ufusion.org - United Fusion

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


-- 

Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles happen.

Personal blog: http://ufusion.org - United Fusion


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


      Open emails faster. Yahoo! recommends that you upgrade your browser to the new Internet Explorer 8 optimized for Yahoo! Get it here! http://downloads.yahoo.com/sg/internetexplorer/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100123/e5aeb4cf/attachment.htm>

More information about the Freeipa-users mailing list