Hi, first of all: GSSAPI is not imported on openssh for windows unfortunately. So you need to mandatory use putty to have GSSAPI kerberos passwordless from windows to linux domain.

second, from which system on the windows side are you trying to login? can you see if it works from the Active Directory server itself, please? IIRC, you will have to allow the host/pc to delegate kerberos credentials (on windows side). AD domain servers have kerberos ticket delegation enabled by default, regular pc/hosts dont. maybe this is the case...

regards,
JP

El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (<freeipa-users@lists.fedorahosted.org>) escribió:
On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote:
> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
> >> On 23/05/2019 14:56, Rob Crittenden wrote:
> >>> lejeczek via FreeIPA-users wrote:
> >>>> hi guys,
> >>>>
> >>>> reading official guide one may assume - I do - that "Using SSH Without
> >>>> Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
> >>>>
> >>>> For me this does not work - ssh still asks for passwords.
> >>>>
> >>>> If this is due to some failure/problem, then where to look and how to
> >>>> troubleshoot?
> >>> It's hard to know what you're doing, ssh from where to where, using what?
> >>>
> >>> rob
> >> I made an assumption - which I see now was invalid - that some experts
> >> may know mentioned guide by heart and if I quoted something then the
> >> rest will be obvious - wrong, sorry.
> >>
> >> "Using SSH Without Passwords" is a paragraph of "Using SSH from Active
> >> Directory Machines for IdM Resources" which is about Kerberos I understand.
> >>
> >> My hope was to have AD's clients be able to ssh(and maybe get to other
> >> things like Samba) without password and with Kerberos.
> >>
> >> I see IPA's users can do that between IPA's servers
> >>
> >> ...
> >>
> >> debug1: PAM: initializing for "tester1"
> >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> >> debug1: PAM: setting PAM_TTY to "ssh"
> >> debug1: userauth-request for user tester1 service ssh-connection method
> >> gssapi-with-mic [preauth]
> >> debug1: attempt 1 failures 0 [preauth]
> >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> >> [preauth]
> >> debug1: Got no client credentials
> >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> >> /home/tester1/.k5login
> >> Authorized to tester1, krb5 principal tester1@private
> >> (ssh_gssapi_krb5_cmdok)
> >> debug1: do_pam_account: called
> >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
> >> ...
> >>
> >> But a Win10Pro which is AD member which I'm trying, when ssh as AD's
> >> user then I do not see above in the logs and such ssh(Win10 own feature)
> >> is asked for password.
> >>
> >> To sum up: AD's users off/from Win AD win-stations to IPA's
> >> members/clients with Kerberos if possible. (trust is already established
> >> and running)
> > Hi,
> >
> > having a trust is the first requirement. Second is a ssh client on the
> > Windows side which can do GSSAPI authentication (recent version of putty
> > can) and has GSSAPI authentication enabled (iirc this is not the default
> > for putty, so you have to switch it on manually). Next is that you have
> > to use the fully-qualified DNS name of the IPA client you want to login
> > to. If all this is set and authentication still falls back to ask for a
> > password plase check with the klist command on the Windows client in
> > command.exe or the Powershell if you already got a service ticket for
> > the IPA client. If this is missing please check if there is a
> > cross-realm ticket, it has a principal starting with 'krbtgt/' followed
> > by the IPA realm, an '@' sign and the AD realm. If this is missing as
> > well the issue is on the AD side and the client either does not try
> > GSSAPI at all or it does not get a cross-realm ticket from the local DC.
> >
> > HTH
> >
> > bye,
> > Sumit
>
> I do not see tickets to IPA's domain - when I'm logged into a Win10Pro
> (a member of win2016 AD domain).
>
> >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> there I see a mention of IPA domain.
>
> That is after a one-way trust was established from IPA's side,
> successfully. DNS seems to work, users seem to work.
>
> My setup IPA is subdomain of AD.
>
> Win10Pro is 1903 with openssh-client installed as/from optional feature.
> I think it does support gssapi.

I haven't tried this ssh client so far. But typically
GSSAPIAuthentication is not enalbed by default for openssh clients. Have
you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen
something GSSAPI related in the debug output?

>
> After a trust is established - do we need to create groups & mappings
> for AD users for ssh/samba to work? Guide docs I saw I understand then
> these are only required when one needs HBAC, correct?

Yes.

>
> How to start troubleshooting?
>
> many thanks, L.
>
> >> many thanks, L.
> >>
> >>
> >>
> >> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> >>       93059F241EEEE1D0769A85F455918ABF21224EBA
> >> uid           lejeczek <peljasz@yahoo.co.uk>
> >> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
>

> pub   rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>       93059F241EEEE1D0769A85F455918ABF21224EBA
> uid           lejeczek <peljasz@yahoo.co.uk>
> sub   rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org