[Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

Sumit Bose sbose at redhat.com
Mon Sep 14 07:46:38 UTC 2015 

On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote:
> The Pro edition.
> 
> I've solved my connection problem, I have to specify manually the username (
> name.surname at ad_domain.com) with Microsoft SSPI.
> In this mode is ok, but using Putty "Use system username" do not works for
> me.

iirc putty strips the domain part '@ad_domain.com' here and only uses
'name.surname' to log into a client. Since by default we require a
fully-qualified name which include to domain part to avoid ambiguity the
login fails.

HTH

bye,
Sumit

> 
> 
> I don't know why :)
> Bye, Morgan
> 
> 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> 
> > On Fri, 11 Sep 2015, Morgan Marodin wrote:
> >
> >> Hi everyone.
> >>
> >> I've seen these guides:
> >>
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html
> >>
> >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html
> >>
> >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/
> >>
> >> But I've not been able to access via ssh to a freeipa client with kerberos
> >> tickets.
> >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't
> >> works too.
> >>
> > This is not required.
> >
> > What Windows 8.1 version you have? Is it a Pro edition (the other
> > editions don't join AD)?
> >
> > The target freeipa client is a RHEL 6.7 like distribution.
> >>
> >> Naturally trying with AD username (name.surname at mydomain.com) and
> >> password
> >> is ok.
> >>
> >> Do you have any suggestions for this problem?
> >>
> > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to
> > login from Windows client and show the logs around 'userok' in the
> > resulting debug output.
> >
> > --
> > / Alexander Bokovoy
> >
> 
> 
> 
> -- 
> Morgan Marodin
> email: morgan at marodin.it
> mobile: +39.3477829069

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list