[Freeipa-users] trouble with trusts and gssapi

Brian Cook bcook at redhat.com
Tue Feb 19 05:02:13 UTC 2013 

This fixed in.  That makes perfect sense, but nothing in the log made me think that this was the problem.

There was an auth_to_local rule setup, which I saved, which did not work.  Is this a bug that we need to open a ticket for?  Seems like installer is putting an inadequate regular expression in the rule.

Thanks!
Brian



On Feb 18, 2013, at 7:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Brian Cook wrote:
>> More info - attached var/log/secure, and sshd_config.
>> 
>> Password authentication works, just gssapi fails.  in the securecrt provided I have disabled password auth as an option
> 
> Create a .k5login in the home directory of your user. What I did was log in as Administratory at AD.EXAMPLE.COM using the password, create .k5login containing that principal, log out, then I was able to log back in using SSO.
> 
> You should be able to add something like this to /etc/krb5.conf if you have a lot of users you want to do SSO:
> 
>    auth_to_local = RULE:[1:$1@$0](^.*@TRUSTED.DOMAIN$)s/@TRUSTED.DOMAIN/@trusted.domain/
>    auth_to_local = DEFAULT
> 
> See 'info krb5-admin "Configuration Files" "krb5.conf" "realms (krb5.conf)"' for more details and examples for auth_to_local.
> 
> rob
> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Feb 18, 2013, at 3:58 PM, Brian Cook <bcook at redhat.com> wrote:
>> 
>>> I am trying to ssh from Windows - > IPA server using GSS-API.  I've tried putty, which provides very little debug out.  I then downloaded securecrt which provides more output.
>>> 
>>> On the server side, I just see postponed gss-with-mic  and then a failure message.  I'm attaching the output from securecrt.  Any help would be greatly appreciated.
>>> 
>>> Thanks,
>>> Brian
>>> 
>>> <securecrt-out.rtf>_______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130218/7eb63781/attachment.htm>

More information about the Freeipa-users mailing list