[Freeipa-users] Active directory trust and SSH
Tomas Krizek
tkrizek at redhat.com
Tue Sep 6 06:30:31 UTC 2016
On 09/06/2016 07:02 AM, Jim Richard wrote:
> So I have two-way trust setup and it seems to work.
>
> And as described here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
>
> SSSD allows user names in the
> format user at AD.DOMAIN, ad.domain\user and AD\user
>
> That works just as described.
>
> I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net,
> the second being the Active Directory domain.
>
> My desire is to have AD be the source for all user/authentication -
> the AD users will use their creds to ssh in to all of the Centos hosts
> in the idm.placeiq.net domain.
>
> The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.
>
> How can I make it so a user does not have to:
>
> ssh 'IDM-AD\Administrator’@hostname or ssh
> Administrator at idm-ad.placeiq.net@hostname
>
> Instead when I say Administrator at hostname it auto-magically knows I
> mean "ssh Administrator at idm-ad.placeiq.net@10.1.41.202
>
> I’ve tried modifiying krb5.conf as such but it seems like I’m missing
> a step.
>
> [libdefaults]
> #default_realm = IDM.PLACEIQ.NET
> default_realm = IDM-AD.PLACEIQ.NET
>
>
> I think my clients use the localauth plugin but I’m not entirely sure.
> If so, how can I configure its behavior?
>
>
>
>
> Jim Richard
> SYSTEM ADMINISTRATOR III
> (646) 338-8905
>
> PlaceIQ:Location Data Accuracy
>
>
>
>
>
I don't think what you're asking for is possible to do as a FreeIPA
configuration. The documentation describes how to login without
prompting for passwords, but I think it is still necessary to provide
the username with AD realm when logging in.
If you're always logging in as the same user to certain machines, you
could configure a default user in the ssh_config.
Perhaps someone else will have a better answer.
--
Tomas Krizek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160906/b39060bc/attachment.htm>
More information about the Freeipa-users
mailing list