[Freeipa-users] AD users not getting single sign on (Solaris)
nathan at nathanpeters.com
nathan at nathanpeters.com
Thu Mar 19 23:55:19 UTC 2015
I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I assume).
But when I ssh from the first Solaris machine to the 2nd I am prompted for
a password instead of being automatically signed in. The strange thing is
that it doesn't matter which machine I login to first, it's only the 2nd
hop that asks for a password.
Below are my console recording. ipaclient1 is Linux, ipaclient5 and
ipaclient6 are Solaris.
Login from Linux -> Solaris 1 works without password
Login from Linux -> Solaris 2 works without password
Login from Solaris 1 -> Solaris 2 prompts
Login from Solaris 2 -> Solaris 1 prompts.
Any ideas?
---- snip ----
login as: nathan.peters
nathan.peters at 10.21.19.12's password:
Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1
Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET
Valid starting Expires Service principal
03/19/15 16:44:27 03/20/15 02:44:16
krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
renew until 03/20/15 16:44:27
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient5-sandbox-atdev-van
Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12
Oracle Corporation SunOS 5.10 Generic Patch January 2005
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103
Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET
Valid starting Expires Service principal
03/19/15 23:40:06 03/20/15 09:39:23
krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
renew until 03/26/15 23:40:06
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van
Password:
Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand
Oracle Corporation SunOS 5.10 Generic Patch January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ exit
logout
Connection to ipaclient6-sandbox-atdev-van closed.
[11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit
logout
Connection to ipaclient5-sandbox-atdev-van closed.
[nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient6-sandbox-atdev-van
Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand
Oracle Corporation SunOS 5.10 Generic Patch January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ ssh ipaclient5-sandbox-atdev-van
The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)'
can't be established.
RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16'
(RSA) to the list of known hosts.
Password:
Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12
Oracle Corporation SunOS 5.10 Generic Patch January 2005
[11:49 PM] ipaclient5-sandbox-atdev-van:~$
More information about the Freeipa-users
mailing list