[Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

Troels Hansen th at casalogic.dk
Wed Sep 7 07:49:35 UTC 2016 

When logging in, putty only shows: 
Using username "drextrha at net.dr.dk". 
drextrha at net.dr.dk@rhel02udv.linux.dr.dk's password: 

Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails: 

Event Log: Using SSPI from SECUR32.DLL 
Event Log: Attempting GSSAPI authentication 
Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 
00000000 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 ....drextrha at net 
00000010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dk....ssh-co 
00000020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnection....gssa 
00000030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic..... 
00000040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .....*.H...... 
Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) 
00000000 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ......*.H...... 
Event Log: GSSAPI authentication initialisation failed 
Event Log: The target was not recognized. 

----- On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy <abokovoy at redhat.com> wrote: 

> On Wed, 07 Sep 2016, Troels Hansen wrote:

>> Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
>> and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
>> been enabled, and GSSAPI is enabled in sshd.

>> Logging in using password from Windows to Linux works, and logging in
>> from Linux to Linux using kerberos works.

>> AD trust is a follows:

>> # ipa trust-find
>> ----------------
>> 2 trusts matched
>> ----------------
>> Realm name: net.dr.dk
>> Domain NetBIOS name: NET
>> Domain Security Identifier: S-1-5-21-xxxxxxxxx-xxxxxxxx-xxxxxxxx

>> Realm name: place.dr.dk
>> Domain NetBIOS name: PLACE
>> Domain Security Identifier: S-1-5-21-xxxxxx-xxxxxx-xxxxxxx
>> Trust type: Active Directory domain
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------

>> # ipa trust-show place.dr.dk
>> Realm name: place.dr.dk
>> Domain NetBIOS name: PLACE
>> Domain Security Identifier: S-1-5-21-xxxx-xxxx-xxxxx
>> Trust direction: Trusting forest
>> Trust type: Active Directory domain

>> # ipa trust-show net.dr.dk
>> Realm name: net.dr.dk
>> Domain NetBIOS name: NET
>> Domain Security Identifier: S-1-5-21-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxx

>> users are located in net.dr.dk.

>>> From looking at the doc's this should just work... However, can't get
>>> it to work. Am I missing something?
> Make screenshots of PuTTY screens showing what you configured and what
> does not work. You can also ask PuTTY to generate logs.

> --
> / Alexander Bokovoy

-- 

Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160907/e8a3190d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gssapi.png
Type: image/png
Size: 45392 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160907/e8a3190d/attachment.png>

More information about the Freeipa-users mailing list