[Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
Morgan Marodin
morgan at marodin.it
Mon Sep 14 12:44:58 UTC 2015
Now is working, with the same configuration ...
Could it be possibile some delay on the trust if the AD group was a new one?
Thanks, Morgan
2015-09-14 11:35 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote:
> > Ok, but now I've an other problem :)
> >
> > If I disable the default allow_all HBAC rule creating one custom HBAC
> rule
> > that enable ad_admins to access any host any service, kerberos ticket via
> > ssh does not works.
> > Username/password authentication with the same custom HBAC rules works.
> >
> > SSH logs with kerberos authentication:
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to
> > Administrator at mydomain.com, krb5 principal Administrator at MYDOMAIN.COM
> > (krb5_kuserok)
> > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access
> > denied for user Administrator at mydomain.com: 6 (Permission denied)
> > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user
> > Administrator at mydomain.com by PAM account configuration
> >
> > SSH logs with username/password authentication:
> > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=192.168.0.252 user=Administrator at mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth):
> authentication
> > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=
> > Administrator at mydomain.com
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for
> > Administrator at mydomain.com from 192.168.0.252 port 49590 ssh2
> > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session
> > opened for user Administrator at mydomain.com by (uid=0)
> >
> > If I enable allow_all HBAC rule kerberos authentication works.
> > Maybe is there something else to configure?
>
> no, HBAC result should not change depending on the authentication
> method. Can you send me the SSSD logs with a high debug level (10) for
> both cases? If you prefer you can send them to me directly.
>
> bye,
> Sumit
>
> >
> > Thanks, Morgan
> >
> > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> >
> > > On Mon, 14 Sep 2015, Morgan Marodin wrote:
> > >
> > >> The Pro edition.
> > >>
> > >> I've solved my connection problem, I have to specify manually the
> > >> username (
> > >> name.surname at ad_domain.com) with Microsoft SSPI.
> > >> In this mode is ok, but using Putty "Use system username" do not
> works for
> > >> me.
> > >>
> > >>
> > >> I don't know why :)
> > >>
> > > A problem is in the fact that when you use PuTTY's 'use system
> > > username', it does only provide unqualified name there, e.g.
> > > Administrator, not AD\Administrator or Administrator at AD.TEST. On IPA
> > > client side AD users are fully qualified and thus a user you are trying
> > > to login to (Administrator) is not the same as the user you are
> > > (Adminsitrator at ad.test).
> > > --
> > > / Alexander Bokovoy
> > >
> >
> >
> >
> > --
> > Morgan Marodin
> > email: morgan at marodin.it
> > mobile: +39.3477829069
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
--
Morgan Marodin
email: morgan at marodin.it
mobile: +39.3477829069
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/71e210c7/attachment.htm>
More information about the Freeipa-users
mailing list