[Freeipa-users] AD users not getting single sign on (Solaris)

Dmitri Pal dpal at redhat.com
Fri Mar 20 21:33:42 UTC 2015 

On 03/20/2015 05:23 PM, nathan at nathanpeters.com wrote:
>> nathan at nathanpeters.com wrote:
>>> I have finally gotten all of my Solaris servers to accept AD users but
>>> the
>>> behavior is inconsistent.
>>>
>>> In my FreeIPA domain, I can login to a Linux server and then ssh to the
>>> Solaris server and I am automatically logged in because of my Kerberos
>>> ticket (I assume).
>>>
>>> But when I ssh from the first Solaris machine to the 2nd I am prompted
>>> for
>>> a password instead of being automatically signed in.  The strange thing
>>> is
>>> that it doesn't matter which machine I login to first, it's only the 2nd
>>> hop that asks for a password.
>>>
>>> Below are my console recording.  ipaclient1 is Linux, ipaclient5 and
>>> ipaclient6 are Solaris.
>>> Login from Linux -> Solaris 1 works without password
>>> Login from Linux -> Solaris 2 works without password
>>> Login from Solaris 1 -> Solaris 2 prompts
>>> Login from Solaris 2 -> Solaris 1 prompts.
>>>
>>> Any ideas?
>> You log into Linux and get a TGT . Using that TGT you can log into any
>> other box (Solaris or otherwise). Unless you are delegating that TGT
>> with each ssh login you won't have one after the first login to another
>> system, it will be used for authentication only.
>>
>> See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd.
>>
>> rob
>>
> Oh I see.  Thank you, adding the Delegation line in my /etc/ssh/ssh_config
> fixed that.
>
> Two more questions:
> I seem to have to add the Delegation line in my Linux clients too.
> Dimitri's earlier answer seemed to indicate that the feature was automatic
> with the sssd but I still have to do -K or add the line to the config for
> it to work.  Was he mistaken or was I interpreting his answer wrong?

What I meant to say is that SSSD does kerberos by default. It does not 
delegate by default.
So you can hop once.
On Solaris you can't hop at all because there is no Kerberos, the auth 
is done using LDAP.

>
> Second Question if you know...
> Does Solaris support host key identification the same way Linux does?  I
> noticed that my Solaris hosts do not get SSHFP entries so I assume I could
> possible manually add the host keys and SSHFP entries for it, but there is
> not ssh_knownwhosts proxy on Solaris is there?

I do not know.

>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list