[Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
Sumit Bose
sbose at redhat.com
Wed Sep 7 07:43:00 UTC 2016
On Wed, Sep 07, 2016 at 10:27:17AM +0300, Alexander Bokovoy wrote:
> On Wed, 07 Sep 2016, Troels Hansen wrote:
> > Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
> > and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
> > been enabled, and GSSAPI is enabled in sshd.
> >
> > Logging in using password from Windows to Linux works, and logging in
> > from Linux to Linux using kerberos works.
> >
> > AD trust is a follows:
> >
> > # ipa trust-find
> > ----------------
> > 2 trusts matched
> > ----------------
> > Realm name: net.dr.dk
> > Domain NetBIOS name: NET
> > Domain Security Identifier: S-1-5-21-xxxxxxxxx-xxxxxxxx-xxxxxxxx
> >
> > Realm name: place.dr.dk
> > Domain NetBIOS name: PLACE
> > Domain Security Identifier: S-1-5-21-xxxxxx-xxxxxx-xxxxxxx
> > Trust type: Active Directory domain
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> > # ipa trust-show place.dr.dk
> > Realm name: place.dr.dk
> > Domain NetBIOS name: PLACE
> > Domain Security Identifier: S-1-5-21-xxxx-xxxx-xxxxx
> > Trust direction: Trusting forest
> > Trust type: Active Directory domain
> >
> > # ipa trust-show net.dr.dk
> > Realm name: net.dr.dk
> > Domain NetBIOS name: NET
> > Domain Security Identifier: S-1-5-21-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxx
> >
> > users are located in net.dr.dk.
> >
> > > From looking at the doc's this should just work... However, can't get
> > > it to work. Am I missing something?
> Make screenshots of PuTTY screens showing what you configured and what
> does not work. You can also ask PuTTY to generate logs.
Additionally please check the klist output on the Windows client. It
should show the host principal of the Linux client
(host/client.ipa.domain at IPA.DOMAIN). If the principal is there the sshd
logs on the Linux client with a high debug level might also have some
hints why GSSAPI authentication failed.
HTH
bye,
Sumit
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list