For the relevant hosts, yes exactly like that.
/tony
On 06/26/2017 11:22 AM, David Kreitschmann via FreeIPA-users wrote:
Do you have something like this in ~.ssh/config?
Host *.example.com <
http://example.com>
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
> Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>:
>
> Hi Rob,
>
> Not sure what the redhat docs describe, we're not using AD with this
> system.
>
> It seems somehow that GSSAPI does not forward the kerberos ticket
> obtained on the client machine correctly, when I connect to the
> machine I want to work on, it just says that the ticket has expired.
>
> I'm still trying a few things, I'll post to the list when I've got
> something new.
>
> /tony
>
>
> On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
>> If you are using gss-api and using putty to log in.
>> Did you do the thing metioned in 5.3.4.5
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
>> also see
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
>>
>> Rob
>>
>> 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>>:
>>
>> Hi guys,
>>
>> We have a setup where the FreeIPA server also hosts the user's
>> homedirs. These are shared via NFSv4 and are automounted when a user
>> logs in.
>>
>> [root@adm-001 ~]# cat /etc/exports
>> /data/home
>> 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338)
>>
<
http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=...
>>
>> [root@adm-001 ~]# ipa automountkey-show
>> Location: default
>> Map: auto.home
>> Key: *
>> Key: *
>> Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard
>> adm-001.domain:/data/home/&
>>
>>
>> While normal ssh logins work (you ssh to the client and put in
>> your password), passwordless ssh does not work. It's obvious that
>> passwordless logins do not activate the kerberos ticket function, but
>> that results in the users being unable to read their own files in
>> their homedirs.
>>
>> For now we ask users to not do passwordless login, but could we
>> make the latter work?
>>
>> TIA,
>>
>> /tony
>>
>>
>> --
>> Tony Albers
>> Systems administrator, IT-development
>> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>> Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
>> <tel:%2B45%208946%202316>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>>
>
>
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org