[Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
Alexander Bokovoy
abokovoy at redhat.com
Tue May 26 14:45:27 UTC 2015
On Tue, 26 May 2015, Leszek Miś wrote:
>Hi Alexander,
>thank you for your fast reply.
>
>I've already executed: # ipa host-mod --ok-as-delegate=TRUE but still cant
>log in using GSSAPI to ipa clients.
>
>Please find answers below:
>1. Yes, logging to Linux IPA Client (Centos 6.6) without entering password
>is not working from AD-joined Windows station with PuTTY. Logging to IPA
>Master server without entering password (using gssapi) works ok.
>2. -
>3. Logging in to ipa clients from AD-joined Windows station with Putty
>(0.64) always requires password and then Kerberos ticket is available in
>the shell.
>
>After I changed loglevel in /etc/sshd/sshd_config on ipa client to LogLevel
>Debug i found in /var/log/secure:
>....
>debug1: userauth-request for user leszek service ssh-connection method none
>debug1: attempt 0 failures 0
>debug1: PAM: initializing for "leszek"
>...
>debug1: Postponed gssapi-with-mic for leszek from X.X.X.X
>debug1: Got no client credentials
>Failed gssapi-with-mic for user leszek
>
>After entering password and logging to system I found this in
>/var/log/secure:
>...
>debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Can you provide a full log level DEBUG3 off the list?
I'm a bit busy so it will take some time to respond.
>/var/log/sssd/sssd_domain.log
>...
>[ipa_subdom_get_forest] (0x0400: 4th component is not 'trust', nothing to
>do.
>...
This can be ignored, it is SSSD internal debug output, not related to
your issues.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list