[Freeipa-users] AD users not getting single sign on (Solaris)

Dmitri Pal dpal at redhat.com
Fri Mar 20 00:02:56 UTC 2015 

On 03/19/2015 07:55 PM, nathan at nathanpeters.com wrote:
> I have finally gotten all of my Solaris servers to accept AD users but the
> behavior is inconsistent.
>
> In my FreeIPA domain, I can login to a Linux server and then ssh to the
> Solaris server and I am automatically logged in because of my Kerberos
> ticket (I assume).
>
> But when I ssh from the first Solaris machine to the 2nd I am prompted for
> a password instead of being automatically signed in.  The strange thing is
> that it doesn't matter which machine I login to first, it's only the 2nd
> hop that asks for a password.
>
> Below are my console recording.  ipaclient1 is Linux, ipaclient5 and
> ipaclient6 are Solaris.
> Login from Linux -> Solaris 1 works without password
> Login from Linux -> Solaris 2 works without password
> Login from Solaris 1 -> Solaris 2 prompts
> Login from Solaris 2 -> Solaris 1 prompts.

Assuming that you have:
IPA and AD in trust and Solaris boxes are configured against the IPA 
compat tree then it would be the expected behavior.

SSO is possible only with Kerberos.
You authentication on Linux is against AD (through trust) so you get a 
Kerberos ticket.
If you issued keytabs for your Solaris systems and configured SSH to use 
GSSAPI then SSH would provide SSO as you describe from Linux to Solaris.
But once you login into Solaris box you do not have a Kerberos ticket 
because it is an LDAP authentication.

You would ask what can be done about it?
Not much. To have SSO you would need to have one of the latest Kerberos 
versions and something like SSSD on Solaris. It does not exist and 
Oracle is not eager to create one.

Bottom line... move to Linux :-)

>
> Any ideas?
>
> ---- snip ----
> login as: nathan.peters
> nathan.peters at 10.21.19.12's password:
> Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57
> [nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1
> Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET
>
> Valid starting     Expires            Service principal
> 03/19/15 16:44:27  03/20/15 02:44:16
> krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
>          renew until 03/20/15 16:44:27
> [nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
> ssh ipaclient5-sandbox-atdev-van
> Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12
> Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
> [11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1539201103
> Default principal: nathan.peters at DATACENTER.MYDOMAIN.NET
>
> Valid starting                Expires                Service principal
> 03/19/15 23:40:06  03/20/15 09:39:23
> krbtgt/DATACENTER.MYDOMAIN.NET at DATACENTER.MYDOMAIN.NET
>          renew until 03/26/15 23:40:06
> [11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van
> Password:
> Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand
> Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
> -bash-3.00$ klist
> klist: No credentials cache file found (ticket cache
> FILE:/tmp/krb5cc_1539201103)
> -bash-3.00$ exit
> logout
> Connection to ipaclient6-sandbox-atdev-van closed.
> [11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit
> logout
> Connection to ipaclient5-sandbox-atdev-van closed.
> [nathan.peters at datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
> ssh ipaclient6-sandbox-atdev-van
> Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand
> Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
> -bash-3.00$ klist
> klist: No credentials cache file found (ticket cache
> FILE:/tmp/krb5cc_1539201103)
> -bash-3.00$ ssh ipaclient5-sandbox-atdev-van
> The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)'
> can't be established.
> RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16'
> (RSA) to the list of known hosts.
> Password:
> Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12
> Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
> [11:49 PM] ipaclient5-sandbox-atdev-van:~$
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list