<div dir="ltr"><div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Hi All,</div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC, SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients (ex. putty) to Linux client machines (Centos 6). Password authentication works, just gssapi fails.</div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Actually, there is one scenario where SSH GSSAPI authentication works  -> when connecting to FreeIPA master or replica (trust were established here), but not to FreeIPA host clients. </div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Important sections of configuration files (servers/clients):</div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">/etc/ssh/sshd_config:<br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">GSSAPIAuthentication yes<br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">KerberosAuthentication yes</div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">/etc/krb5.conf:</div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">auth_to_local = RULE:[1:$1 <at> $0](^.* <at> WINDOWS.DOMAIN$)s/ <at> WINDOWS.DOMAIN/ <at> windows.domain/<br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div>auth_to_local = DEFAULT</div></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">BTW. after I log in by password to linux client machine I can use gssapi within the same host by ssh-ing in a loop to the localhost, so locally GSSAPI works here.<br></div><div style="color:rgb(0,0,0);font-family:Cantarell;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:28px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div><br></div><div>Is there something I missed? </div><div>Any help would be greatly appreciated.</div></div><br clear="all"></div>/lm<br></div>