[Freeipa-users] GSSAPI for second hop (SSH)
Jason B. Nance
jason at tresgeek.net
Fri Mar 3 19:22:17 UTC 2017
>> I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users
>> connecting to Linux servers from their domain-joined workstations are
>> not required to enter a password for the first connection. However,
>> if they attempt to ssh to a second Linux machine from the first they
>> are being prompted for a password.
>
> What is the output if they klist on the first machine they SSH to?
[jnance at centric.com@sl1aosplmgt0001 ~]$ klist
Ticket cache: KEYRING:persistent:255985:krb_ccache_TuVdBrp
Default principal: jnance at CENTRIC.COM
Valid starting Expires Service principal
03/03/2017 11:55:16 03/03/2017 21:47:34 krbtgt/IPA.GEN.ZONE at CENTRIC.COM
renew until 03/04/2017 11:47:33
03/03/2017 11:47:34 03/03/2017 21:47:34 krbtgt/CENTRIC.COM at CENTRIC.COM
renew until 03/04/2017 11:47:33
centric.com is the AD domain that ipa.gen.zone trusts.
More information about the Freeipa-users
mailing list