[Freeipa-users] trouble with trusts and gssapi

Sumit Bose sbose at redhat.com
Tue Feb 19 07:47:18 UTC 2013 

On Mon, Feb 18, 2013 at 09:02:13PM -0800, Brian Cook wrote:
> This fixed in.  That makes perfect sense, but nothing in the log made me think that this was the problem.
> 
> There was an auth_to_local rule setup, which I saved, which did not work.  Is this a bug that we need to open a ticket for?  Seems like installer is putting an inadequate regular expression in the rule.

You only see related messages in /var/log/secure if you increase the
debug level of sshd.

The auth_to_local rule not added by the installer but has to be added
manually if you prefer this instead of using .k5login. The next major
release of MIT Kerberos will have a plugin interface for auth_to_local
which we plan to use. With this, the rules are not needed anymore.

HTH

bye,
Sumit

> 
> Thanks!
> Brian
> 
> 
> 
> On Feb 18, 2013, at 7:35 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
> > Brian Cook wrote:
> >> More info - attached var/log/secure, and sshd_config.
> >> 
> >> Password authentication works, just gssapi fails.  in the securecrt provided I have disabled password auth as an option
> > 
> > Create a .k5login in the home directory of your user. What I did was log in as Administratory at AD.EXAMPLE.COM using the password, create .k5login containing that principal, log out, then I was able to log back in using SSO.
> > 
> > You should be able to add something like this to /etc/krb5.conf if you have a lot of users you want to do SSO:
> > 
> >    auth_to_local = RULE:[1:$1@$0](^.*@TRUSTED.DOMAIN$)s/@TRUSTED.DOMAIN/@trusted.domain/
> >    auth_to_local = DEFAULT
> > 
> > See 'info krb5-admin "Configuration Files" "krb5.conf" "realms (krb5.conf)"' for more details and examples for auth_to_local.
> > 
> > rob
> > 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> On Feb 18, 2013, at 3:58 PM, Brian Cook <bcook at redhat.com> wrote:
> >> 
> >>> I am trying to ssh from Windows - > IPA server using GSS-API.  I've tried putty, which provides very little debug out.  I then downloaded securecrt which provides more output.
> >>> 
> >>> On the server side, I just see postponed gss-with-mic  and then a failure message.  I'm attaching the output from securecrt.  Any help would be greatly appreciated.
> >>> 
> >>> Thanks,
> >>> Brian
> >>> 
> >>> <securecrt-out.rtf>_______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> 
> > 
> 

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list