[Freeipa-users] SSH using putty to IPA client
Troels Hansen
th at casalogic.dk
Mon Sep 26 07:25:46 UTC 2016
After we installed a new set of IPA servers for prod, and joined AD using username and password to have AD create a correct suffix routing everythin seems to work, and the suffix routing is created correctly on AD.
However, trying to SSH from Windows using Putty and kerberos fails:
Putty log shows:
Event Log: GSSAPI authentication initialisation failed
Event Log: No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure.
DNS is on AD (manually added, and IPA have no DNS installed.
Kerberos DNS is correct:
# dig _kerberos._tcp.lx.dr.dk SRV
....
;; ANSWER SECTION:
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk.
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk.
;; ADDITIONAL SECTION:
ipa01.lx.dr.dk. 3600 IN A x.y.z.135
ipa02.lx.dr.dk. 3600 IN A x.y.z.134
# dig _kerberos._tcp.dc._msdcs.lx.dr.dk SRV
...
;; ANSWER SECTION:
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk.
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk.
;; ADDITIONAL SECTION:
ipa02.lx.dr.dk. 3600 IN A x.y.z.134
ipa01.lx.dr.dk. 3600 IN A x.y.z.135
Klist on Windows shows I have a TGT for the LX domain (but only a TGT), sorry for the danish.
#0> Klient: drextrha @ NET.DR.DK
Server: krbtgt/LX.DR.DK @ PLACE.DR.DK
KerbTicket-krypteringstype: AES-256-CTS-HMAC-SHA1-96
Billetflag 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Starttidspunkt: 9/21/2016 14:58:36 (lokal)
Sluttidspunkt: 9/21/2016 23:16:09 (lokal)
Fornyelsestidspunkt: 9/28/2016 13:16:09 (lokal)
Sessionsnøgletype: AES-256-CTS-HMAC-SHA1-96
I can't see whats wrong and can't seem to find out whats wrong?
Suggestions welcome :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160926/53659563/attachment.htm>
More information about the Freeipa-users
mailing list