[Freeipa-users] Troubleshooting SSO
Gould, Joshua
Joshua.Gould at osumc.edu
Tue Mar 31 14:03:16 UTC 2015
Putty error was:
Event Log: GSSAPI authentication initialisation failed
Event Log: No authority could be contacted for authentication.The domain
name of the authenticating party could be wrong, the domain could be
unreachable, or there might have been a trust relationship failure.
On 3/31/15, 10:02 AM, "Gould, Joshua" <Joshua.Gould at osumc.edu> wrote:
>Klist in Windows showed one ticket for the IPA domain.
>
>#0> Client: adm-faru03 @ test.osuwmc
> Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40a40000 -> forward able renewable pre_authent
>ok_as_delegate
> Start Time: 3/31/2015: 9:29:25 (local)
> End Time: 3/31/2015: 15:28:22 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>
>IPA and SSSD are:
>ipa-server.x86_64
>4.1.0-18.el7_1.3
>sssd.x86_64
>1.12.2-58.el7_1.6.1
>
>Kinit adm-faru03 at TEST.OSUWMC was telling. Once it reported ³kinit: KDC
>reply did not match expectations while getting initial credentials². We
>waited a minute or two (were discussing results) and tried again just
>adding the -V flag and it worked.
>
>Kvno host/mid-ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC = 2
>
>Verbose logging in putty gave the following error:
>
>
>On 3/31/15, 3:30 AM, "Sumit Bose" <sbose at redhat.com> wrote:
>
>>
>>Can you do the follwoing checks:
>>
>>Can you check by calling klist in a Windows Command window if you got
>>
>>
>>a proper host/... ticket for the IPA host?
>>
>>
>>
>>
>>
>>What version of IPA and SSSD are you using.
>>
>>
>>
>>
>>
>>Can you check if the following works on a IPA host:
>>
>>
>>
>>
>>
>>kinit adm-faru03 at TEST.OSUWMC
>>
>>
>>kvno host/name.of.the.ipa-client.to.login at IPA.REALM
>>
>>
>>ssh -v -l adm-faru03 at test.osuwmc name.of.the.ipa-client.to.login
>>
>>
>
More information about the Freeipa-users
mailing list