[Freeipa-users] authentication with latest putty fails

Sumit Bose sbose at redhat.com
Fri Jan 4 15:25:46 UTC 2013 

On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> You are absolutely right; the credentials aren't forwarded.
> 
> I have enabled the option "allow gssapi credential delegation". So one
> would expect that it should work.
> 
> I just installed the mit kerberos tools and I can see all the options and
> forwarding tickets is allowed according to the interface. Also putty is now
> using the mit kerberos dll; gssapi32.dll and still I get the same results.
> 
> So the proper question is: how do I get putty to really forward the
> credentials?

This might be an issue with your putty version. Can you try Quest's
version of putty http://rc.quest.com/topics/putty/ , if you are not
already using it?

HTH

bye,
Sumit

> 
> 
> On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
> > Han Boetes wrote:
> >
> >> I've set up windows with the instructions given over here:
> >>
> >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<http://freeipa.com/page/Windows_authentication_against_FreeIPA>
> >>
> >> And all seems to be working fine. After I run klist I see valid tickets:
> >>
> >> Microsoft Windows [Version 6.1.7601]
> >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
> >>
> >> C:\Users\fh>klist
> >>
> >> Aktuelle Anmelde-ID ist 0:0x153b25
> >>
> >> Zwischengespeicherte Tickets: (1)
> >>
> >> #0>     Client: fh @ REALM
> >>          Server: krbtgt/REALM @ REALM
> >>          KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> >>          Ticketkennzeichen 0x40e10000 -> forwardable renewable initial
> >> pre_authen
> >> t name_canonicalize
> >>          Startzeit: 1/4/2013 14:03:11 (lokal)
> >>          Endzeit:   1/5/2013 14:03:11 (lokal)
> >>          Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> >>          Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
> >>
> >>
> >> I can do a passwordless login with the latest putty with kerberos
> >> authentication,  I disabled password and key logins. And then on the
> >> host I checked klist and got this:
> >>
> >> [fh at test-server-ipa ~]$ klist
> >> klist: No credentials cache found (ticket cache
> >> FILE:/tmp/krb5cc_1554800011)
> >>
> >> sudo also doesn't work. To test the setup I did the same from linux host
> >> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> >> -d output difference and the only difference I see is:
> >>
> >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> >> -debug1: Received some client credentials
> >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> >> +debug1: Got no client credentials
> >>
> >> Where .73 is the linux host and .56 is the windows host.
> >>
> >> What am I missing here?
> >>
> >
> > The problem isn't that authentication fails, it is that the credentials
> > aren't forwarded, right?
> >
> > Does putty support this?
> >
> > rob
> >
> >
> 
> 
> -- 
> 
> 
> 
> # Han

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list