[Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 7 07:55:27 UTC 2016
On Wed, 07 Sep 2016, Troels Hansen wrote:
>When logging in, putty only shows:
>Using username "drextrha at net.dr.dk".
>drextrha at net.dr.dk@rhel02udv.linux.dr.dk's password:
>
>Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails:
>
>Event Log: Using SSPI from SECUR32.DLL
>Event Log: Attempting GSSAPI authentication
>Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
>00000000 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 ....drextrha at net
>00000010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dk....ssh-co
>00000020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnection....gssa
>00000030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic.....
>00000040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .....*.H......
>Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE)
>00000000 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ......*.H......
>Event Log: GSSAPI authentication initialisation failed
>Event Log: The target was not recognized.
"Target was not recognized" means AD DC doesn't know that
rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to
forward the authentication requests there.
What do you have in the trust properties on AD side? Specifically, what
does name routing suffixes show there?
>
>----- On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
>> On Wed, 07 Sep 2016, Troels Hansen wrote:
>
>>> Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
>>> and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
>>> been enabled, and GSSAPI is enabled in sshd.
>
>>> Logging in using password from Windows to Linux works, and logging in
>>> from Linux to Linux using kerberos works.
>
>>> AD trust is a follows:
>
>>> # ipa trust-find
>>> ----------------
>>> 2 trusts matched
>>> ----------------
>>> Realm name: net.dr.dk
>>> Domain NetBIOS name: NET
>>> Domain Security Identifier: S-1-5-21-xxxxxxxxx-xxxxxxxx-xxxxxxxx
>
>>> Realm name: place.dr.dk
>>> Domain NetBIOS name: PLACE
>>> Domain Security Identifier: S-1-5-21-xxxxxx-xxxxxx-xxxxxxx
>>> Trust type: Active Directory domain
>>> ----------------------------
>>> Number of entries returned 2
>>> ----------------------------
>
>>> # ipa trust-show place.dr.dk
>>> Realm name: place.dr.dk
>>> Domain NetBIOS name: PLACE
>>> Domain Security Identifier: S-1-5-21-xxxx-xxxx-xxxxx
>>> Trust direction: Trusting forest
>>> Trust type: Active Directory domain
>
>>> # ipa trust-show net.dr.dk
>>> Realm name: net.dr.dk
>>> Domain NetBIOS name: NET
>>> Domain Security Identifier: S-1-5-21-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxx
>
>>> users are located in net.dr.dk.
>
>>>> From looking at the doc's this should just work... However, can't get
>>>> it to work. Am I missing something?
>> Make screenshots of PuTTY screens showing what you configured and what
>> does not work. You can also ask PuTTY to generate logs.
>
>> --
>> / Alexander Bokovoy
>
>--
>
>Med venlig hilsen
>
>Troels Hansen
>
>Systemkonsulent
>
>Casalogic A/S
>
>T (+45) 70 20 10 63
>
>M (+45) 22 43 71 57
>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list