Hi Rob,
Not sure what the redhat docs describe, we're not using AD with this system.
It seems somehow that GSSAPI does not forward the kerberos ticket obtained on the client
machine correctly, when I connect to the machine I want to work on, it just says that the
ticket has expired.
I'm still trying a few things, I'll post to the list when I've got something
new.
/tony
On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
If you are using gss-api and using putty to log in.
Did you do the thing metioned in 5.3.4.5
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
also see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
Rob
2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>:
Hi guys,
We have a setup where the FreeIPA server also hosts the user's homedirs. These
are shared via NFSv4 and are automounted when a user logs in.
[root@adm-001 ~]# cat /etc/exports
/data/home 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338)
<
http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=...
[root@adm-001 ~]# ipa automountkey-show
Location: default
Map: auto.home
Key: *
Key: *
Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard
adm-001.domain:/data/home/&
While normal ssh logins work (you ssh to the client and put in your password),
passwordless ssh does not work. It's obvious that passwordless logins do not activate
the kerberos ticket function, but that results in the users being unable to read their own
files in their homedirs.
For now we ask users to not do passwordless login, but could we make the latter
work?
TIA,
/tony
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
<tel:%2B45%208946%202316>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316