On Thu, 2018-09-06 at 05:08 +0200, Jochen Hein via FreeIPA-users wrote:
You used "ssh ipa01", right? And the host has been enrolleed with
ipa01.theinside.rnr?
Yes.
I have in my ~/.ssh/config:
CanonicalizeHostname always
CanonicalDomains
example.org
I can try that. But, it doesn't answer my question: why does GSSAPI
delegation work for some hosts and not others? I'm going to assume I
did something wrong, but I don't know what.
For example, I can ssh from my Fedora desktop to ipa01. I don't have to
use a password or an ssh key because my kerberos ticket allows me
access. Then, from ipa01, I can ssh to anything else in the freeipa
domain without a password or ssh key because GSSAPI delegation allows
me access.
I have some servers where I can login using kerberos tickets from my
Fedora desktop, but GSSAPI delegation fails.
I haven't been able to find a difference between them.
--
Ranbir