[Freeipa-users] SSH using putty to IPA client

[Sumit Bose]

On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:
> 
> > Yes, this makes sense as well. If you are not in the forest root you
> > first need a cross-realm TGT for your domain and the forest root. Then
> > you need a cross-realm TGT for the forest root and the IPA domain.
> > 
> > As a next step you should see a request to the IPA KDC to get the actual
> > service ticket for the host in the IPA domain.
> 
> Yes, this is the traffic that's never seen in the capture.
> It seems Windows(Putty) never asks for at host ticket for the IPA host. I receive the krbtgt for the IPA domain, but never sees any traffic from the Windows client to IPA, and thus, never receives the host ticket on the Windows client.

Please check the other traffic on the client after receiving the
cross-realm ticket for the IPA domain. Since the client get the name to
the IPA realm from the AD DC in the last response I would expect that it
will try some DNS SRV lookups to find a KDC in the IPA realm.

HTH

bye,
Sumit

> 
> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own Kerberos libraryes and that these fail.
> 
> I Linux not joined to IPA, just installed with kerberos and use dns config in krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine, so it seems the problem just relates to putty.