[Freeipa-users] Troubleshooting SSO

Sumit Bose sbose at redhat.com
Tue Mar 31 14:40:49 UTC 2015 

On Tue, Mar 31, 2015 at 10:02:37AM -0400, Gould, Joshua wrote:
> Klist in Windows showed one ticket for the IPA domain.
> 
> #0>	Client: adm-faru03 @ test.osuwmc
> 	Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
> 	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> 	Ticket Flags 0x40a40000 -> forward able renewable pre_authent
> ok_as_delegate
> 	Start Time: 3/31/2015: 9:29:25 (local)
> 	End Time:   3/31/2015: 15:28:22 (local)
> 	Session Key Type: AES-256-CTS-HMAC-SHA1-96

The means that you do not have a ticket for the IPA client. Please make
sure you use 'mid-ipa-vp01.unix.test.osuwmc' as hostname with putty.

Since the AD DC gave you the cross-realm TGT (the ticket you've shown
above) I would expect that you Windows client has issues resolving a KDC
in the IPA domain. Please check on the Windows client with the nslookup
utility you DNS SRV records like

_kerberos._tcp.dc._msdcs.unix.test.osuwmc

and

_kerberos._tcp.unix.test.osuwmc

can be resolved.

> 
> IPA and SSSD are:
> ipa-server.x86_64  
> 4.1.0-18.el7_1.3
> sssd.x86_64        
> 1.12.2-58.el7_1.6.1
> 
> Kinit adm-faru03 at TEST.OSUWMC was telling. Once it reported ³kinit: KDC
> reply did not match expectations while getting initial credentials². We
> waited a minute or two (were discussing results) and tried again just
> adding the -V flag and it worked.
> 
> Kvno host/mid-ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC = 2
> 
> Verbose logging in putty gave the following error:
> 

Which errors do you see when using ssh in the IPA client after calling
kinit? Or is it working in this case?

bye,
Sumit

> 
> On 3/31/15, 3:30 AM, "Sumit Bose" <sbose at redhat.com> wrote:
> 
> >
> >Can you do the follwoing checks:
> >
> >Can you check by calling klist in a Windows Command window if you got
> >                  
> >                  
> >a proper host/... ticket for the IPA host?
> >                  
> >                  
> >                  
> >                  
> >                  
> >What version of IPA and SSSD are you using.
> >                  
> >                  
> >                  
> >                  
> >                  
> >Can you check if the following works on a IPA host:
> >                  
> >                  
> >                  
> >                  
> >                  
> >kinit adm-faru03 at TEST.OSUWMC
> >                  
> >                  
> >kvno host/name.of.the.ipa-client.to.login at IPA.REALM
> >                  
> >                  
> >ssh -v -l adm-faru03 at test.osuwmc name.of.the.ipa-client.to.login
> >                  
> >                                          
> 
>

More information about the Freeipa-users mailing list