[Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
Alexander Bokovoy
abokovoy at redhat.com
Mon May 25 11:25:30 UTC 2015
On Mon, 25 May 2015, crony wrote:
>Hi All,
>we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC,
>SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients
>(ex. putty) to Linux client machines (Centos 6). Password authentication
>works, just gssapi fails.
Do you have have anything in the SSH server logs when using high enough
debug level?
SSH GSSAPI (single sign-on) should just work fine. On contrary, delegation or forwarding
of credentials (i.e. Kerberos TGT from AD side being available after
login to SSH server) should not work unless ok-as-delegate flag is set
on the host principal -- see 'ipa host-mod --ok-as-delegate=TRUE'.
So what exactly is not working:
1. Logging in without entering a password from AD-joined Windows
station with PuTTY?
2. Logging in without the password works but no Kerberos ticket
available in the shell?
3. Logging in always requires password and then Kerberos ticket is not
available in the shell?
4. Something else?
>
>Actually, there is one scenario where SSH GSSAPI authentication works ->
>when connecting to FreeIPA master or replica (trust were established here),
>but not to FreeIPA host clients.
>
>Important sections of configuration files (servers/clients):
>
>/etc/ssh/sshd_config:
>GSSAPIAuthentication yes
>KerberosAuthentication yes
Remove 'KerberosAuthentication yes', you don't want it to be used, only
GSSAPI.
>/etc/krb5.conf:
>auth_to_local = RULE:[1:$1 <at> $0](^.* <at> WINDOWS.DOMAIN$)s/ <at>
>WINDOWS.DOMAIN/ <at> windows.domain/
>auth_to_local = DEFAULT
You don't need to specify auth_to_local rules in krb5.conf in RHEL 7.1
because we now have this filled in by SSSD. As you are claiming FreeIPA
4.1 is in use, it means CentOS 7.1, thus SSSD automatically contributing
auth_to_local plugin.
>BTW. after I log in by password to linux client machine I can use gssapi
>within the same host by ssh-ing in a loop to the localhost, so locally
>GSSAPI works here.
This is expected and is by design.
>Is there something I missed?
>Any help would be greatly appreciated.
Answer my questions above, I suspect all you need is to mark the host
principal as available for delegation.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list