[Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
Sumit Bose
sbose at redhat.com
Wed Sep 7 08:31:33 UTC 2016
On Wed, Sep 07, 2016 at 09:55:45AM +0200, Troels Hansen wrote:
>
>
> ----- On Sep 7, 2016, at 9:43 AM, Sumit Bose sbose at redhat.com wrote:
>
> > Additionally please check the klist output on the Windows client. It
> > should show the host principal of the Linux client
> > (host/client.ipa.domain at IPA.DOMAIN). If the principal is there the sshd
> > logs on the Linux client with a high debug level might also have some
> > hints why GSSAPI authentication failed.
> >
>
>
> Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal for thc DC's
So I guess there is no cross-realm ticket either, i.e.
krbtgt/IPA.DOMAIN at AD.DOMAIN. Can you check on AD if the IPA DNS domain
is listed in the 'Name Suffix Routing' tab in the trust properties of
the IPA domain? Additionally please check if the DNS SRV records like
e.g. _kerberos._udp.ipa.domain can be resolved on the AD side.
HTH
bye,
Sumit
More information about the Freeipa-users
mailing list