[Freeipa-users] authentication with latest putty fails
Sumit Bose
sbose at redhat.com
Mon Jan 7 17:17:22 UTC 2013
On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote:
> I just had a long and fruitfull debugging session with Sumit and this is
> what we discovered.
Thank you for your patience and help to debug this issue.
>
> The default settings do run fine for linux machines but for windows hosts
> they do not suffice. Sumit is submitting bug reports and hopefully they
> will be applied to the next 2.2.x release. This problem does not exist with
> version 3.x
>
> The workaround for 2.2.x releases is:
>
> For any target machine you want to enable forwarding tickets which have to
> be accessible with putty you will have to add the ok_as_delegate flag. To
> do that run the following commands on the ipa-server:
>
> # ipa host-mod --addattr='objectclass=krbTicketPolicyAux'
> destinationhost.domain
Ticket https://fedorahosted.org/freeipa/ticket/3328 covers the missing
objectclass.
> # kadmin.local -q 'modprinc +ok_as_delegate
> host/destinationhost.domain at REALM'
https://fedorahosted.org/freeipa/ticket/3329 is a RFE to think about
how we want to handle this flag (and maybe Kerberos flags in general).
bye,
Sumit
>
> So far I working tickets on the destination machine if I used centrify
> putty to log in. This didn't work with the stock version of putty allas.
>
>
>
> # Han
More information about the Freeipa-users
mailing list