[Freeipa-users] AD users not getting single sign on (Solaris)

nathan at nathanpeters.com nathan at nathanpeters.com
Thu Mar 19 23:55:19 UTC 2015 

I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.

In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I assume).

But when I ssh from the first Solaris machine to the 2nd I am prompted for
a password instead of being automatically signed in.  The strange thing is
that it doesn't matter which machine I login to first, it's only the 2nd
hop that asks for a password.

Below are my console recording.  ipaclient1 is Linux, ipaclient5 and
ipaclient6 are Solaris.
Login from Linux -> Solaris 1 works without password
Login from Linux -> Solaris 2 works without password
Login from Solaris 1 -> Solaris 2 prompts
Login from Solaris 2 -> Solaris 1 prompts.

Any ideas?

---- snip ----
login as: nathan.peters
nathan.peters at 10.21.19.12's password:
Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1
Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET

Valid starting     Expires            Service principal
03/19/15 16:44:27  03/20/15 02:44:16 
krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
        renew until 03/20/15 16:44:27
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient5-sandbox-atdev-van
Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103
Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET

Valid starting                Expires                Service principal
03/19/15 23:40:06  03/20/15 09:39:23 
krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
        renew until 03/26/15 23:40:06
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van
Password:
Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ exit
logout
Connection to ipaclient6-sandbox-atdev-van closed.
[11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit
logout
Connection to ipaclient5-sandbox-atdev-van closed.
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient6-sandbox-atdev-van
Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ ssh ipaclient5-sandbox-atdev-van
The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)'
can't be established.
RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16'
(RSA) to the list of known hosts.
Password:
Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
[11:49 PM] ipaclient5-sandbox-atdev-van:~$

More information about the Freeipa-users mailing list