[Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

Morgan Marodin morgan at marodin.it
Mon Sep 14 09:16:57 UTC 2015 

Ok, but now I've an other problem :)

If I disable the default allow_all HBAC rule creating one custom HBAC rule
that enable ad_admins to access any host any service, kerberos ticket via
ssh does not works.
Username/password authentication with the same custom HBAC rules works.

SSH logs with kerberos authentication:
Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
Administrator at mydomain.com, krb5 principal Administrator at MYDOMAIN.COM
(krb5_kuserok)
Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
denied for user Administrator at mydomain.com: 6 (Permission denied)
Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
Administrator at mydomain.com by PAM account configuration

SSH logs with username/password authentication:
Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.252  user=Administrator at mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
Administrator at mydomain.com
Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
Administrator at mydomain.com from 192.168.0.252 port 49590 ssh2
Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
opened for user Administrator at mydomain.com by (uid=0)

If I enable allow_all HBAC rule kerberos authentication works.
Maybe is there something else to configure?

Thanks, Morgan

2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Mon, 14 Sep 2015, Morgan Marodin wrote:
>
>> The Pro edition.
>>
>> I've solved my connection problem, I have to specify manually the
>> username (
>> name.surname at ad_domain.com) with Microsoft SSPI.
>> In this mode is ok, but using Putty "Use system username" do not works for
>> me.
>>
>>
>> I don't know why :)
>>
> A problem is in the fact that when you use PuTTY's 'use system
> username', it does only provide unqualified name there, e.g.
> Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA
> client side AD users are fully qualified and thus a user you are trying
> to login to (Administrator) is not the same as the user you are
> (Adminsitrator at ad.test).
> --
> / Alexander Bokovoy
>



-- 
Morgan Marodin
email: morgan at marodin.it
mobile: +39.3477829069
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/be82fd13/attachment.htm>

More information about the Freeipa-users mailing list