[Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
crony
leszek.mis at gmail.com
Mon May 25 07:45:11 UTC 2015
Hi All,
we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC,
SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients
(ex. putty) to Linux client machines (Centos 6). Password authentication
works, just gssapi fails.
Actually, there is one scenario where SSH GSSAPI authentication works ->
when connecting to FreeIPA master or replica (trust were established here),
but not to FreeIPA host clients.
Important sections of configuration files (servers/clients):
/etc/ssh/sshd_config:
GSSAPIAuthentication yes
KerberosAuthentication yes
/etc/krb5.conf:
auth_to_local = RULE:[1:$1 <at> $0](^.* <at> WINDOWS.DOMAIN$)s/ <at>
WINDOWS.DOMAIN/ <at> windows.domain/
auth_to_local = DEFAULT
BTW. after I log in by password to linux client machine I can use gssapi
within the same host by ssh-ing in a loop to the localhost, so locally
GSSAPI works here.
Is there something I missed?
Any help would be greatly appreciated.
/lm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150525/95a67afb/attachment.htm>
More information about the Freeipa-users
mailing list