[Freeipa-users] SSH using putty to IPA client

Troels Hansen th at casalogic.dk
Mon Sep 26 07:25:46 UTC 2016 

After we installed a new set of IPA servers for prod, and joined AD using username and password to have AD create a correct suffix routing everythin seems to work, and the suffix routing is created correctly on AD. 

However, trying to SSH from Windows using Putty and kerberos fails: 

Putty log shows: 
Event Log: GSSAPI authentication initialisation failed 
Event Log: No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure. 

DNS is on AD (manually added, and IPA have no DNS installed. 

Kerberos DNS is correct: 

# dig _kerberos._tcp.lx.dr.dk SRV 
.... 
;; ANSWER SECTION: 
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. 
_kerberos._tcp.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. 

;; ADDITIONAL SECTION: 
ipa01.lx.dr.dk. 3600 IN A x.y.z.135 
ipa02.lx.dr.dk. 3600 IN A x.y.z.134 


# dig _kerberos._tcp.dc._msdcs.lx.dr.dk SRV 
... 
;; ANSWER SECTION: 
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa02.lx.dr.dk. 
_kerberos._tcp.dc._msdcs.lx.dr.dk. 3600 IN SRV 0 100 88 ipa01.lx.dr.dk. 

;; ADDITIONAL SECTION: 
ipa02.lx.dr.dk. 3600 IN A x.y.z.134 
ipa01.lx.dr.dk. 3600 IN A x.y.z.135 


Klist on Windows shows I have a TGT for the LX domain (but only a TGT), sorry for the danish. 

#0> Klient: drextrha @ NET.DR.DK 
Server: krbtgt/LX.DR.DK @ PLACE.DR.DK 
KerbTicket-krypteringstype: AES-256-CTS-HMAC-SHA1-96 
Billetflag 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 
Starttidspunkt: 9/21/2016 14:58:36 (lokal) 
Sluttidspunkt: 9/21/2016 23:16:09 (lokal) 
Fornyelsestidspunkt: 9/28/2016 13:16:09 (lokal) 
Sessionsnøgletype: AES-256-CTS-HMAC-SHA1-96 


I can't see whats wrong and can't seem to find out whats wrong? 
Suggestions welcome :-) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160926/53659563/attachment.htm>

More information about the Freeipa-users mailing list