[Freeipa-users] SSH using putty to IPA client
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 28 13:15:49 UTC 2016
On ma, 28 marras 2016, Troels Hansen wrote:
>Hi all
>
>Just wanted to follow up on my recent findings in regards to IPA - AD
>trust and kerberos delegations, sa we gave up on this, and just lived
>with it not working.
>
>In the end we ended up discovering that for kerberos trust delegation
>to work ldap/udp ingoing HAVE to be open on the IPA server!
Correct, this is so-called CLDAP protocol (connectionless LDAP,
389/UDP), which is a key in DC resolution for AD domains.
This requirement is documented in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-req-ports
>
>
>
>----- On Sep 28, 2016, at 11:48 AM, Sumit Bose sbose at redhat.com wrote:
>
>> On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
>>>
>>> > Yes, this makes sense as well. If you are not in the forest root you
>>> > first need a cross-realm TGT for your domain and the forest root. Then
>>> > you need a cross-realm TGT for the forest root and the IPA domain.
>>> >
>>> > As a next step you should see a request to the IPA KDC to get the actual
>>> > service ticket for the host in the IPA domain.
>>>
>>> Yes, this is the traffic that's never seen in the capture.
>>> It seems Windows(Putty) never asks for at host ticket for the IPA host. I
>>> receive the krbtgt for the IPA domain, but never sees any traffic from the
>>> Windows client to IPA, and thus, never receives the host ticket on the Windows
>>> client.
>>
>> Please check the other traffic on the client after receiving the
>> cross-realm ticket for the IPA domain. Since the client get the name to
>> the IPA realm from the AD DC in the last response I would expect that it
>> will try some DNS SRV lookups to find a KDC in the IPA realm.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>>
>>> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own
>>> Kerberos libraryes and that these fail.
>>>
>>> I Linux not joined to IPA, just installed with kerberos and use dns config in
>>> krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine,
>> > so it seems the problem just relates to putty.
>
>--
>Med venlig hilsen
>
>Troels Hansen
>
>Systemkonsulent
>
>Casalogic A/S
>
>
>T (+45) 70 20 10 63
>
>M (+45) 22 43 71 57
>
>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list