[Freeipa-users] ssh login from windows AD trust host not working
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 19 15:26:51 UTC 2013
On Fri, 19 Apr 2013, Natxo Asenjo wrote:
>hi,
>
>some progress. I disabled the firewall of the linux host (also the kdc,
>incidentally). From the Windows host using the AD Domain and Trusts tool I
>can verify the trust and using putty I can login and get the linux kerberos
>tickets as a windows realm user.
>
>If i enable the firewall and I do not block the ldap/ldaps port (the
>windows host is also the domain controller, yeah, I know, this is a home
>test lab on very modest virtual hardware), then I can login using putty
>with sso too, but I cannot verify the trust using the AD Domain and Trusts
>tool.
>
>So is this expected behaviour?
Yes, because you also need to keep right ports open.
Verification of trust is done via SMB protocol (actually, netlogon
pipe), so you need to get SMB ports open -- 135/tcp, 139/tcp, 445/tcp
and some ports starting from 1024/tcp for end-point mapper.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list