On 31/05/2019 15:42, Juan Pablo wrote:
Hi, first of all: GSSAPI is not imported on openssh for windows
unfortunately. So you need to mandatory use putty to have GSSAPI
kerberos passwordless from windows to linux domain.
second, from which system on the windows side are you trying to login?
can you see if it works from the Active Directory server itself,
please? IIRC, you will have to allow the host/pc to delegate kerberos
credentials (on windows side). AD domain servers have kerberos ticket
delegation enabled by default, regular pc/hosts dont. maybe this is
the case...
regards,
JP
I was hoping but was not sure, that nomorefood's stuff ended up in
Windows version in the latest, thus I stressed, update of 1903, but,
it's not there.
Putty I got from
ssh.com (I'm not sure if this is the best place or best
putty to get?) but this putty, on/off the AD server.. yes, works with
gssapi and I see password-less authentication.
I thought I delegated Win10 client box to "Trust this computer for
delegation of any service) in AD Users & Computers but... still password
prompt. Any ideas, suggestions?
many thanks, L.
El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users
(<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>) escribió:
On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via
FreeIPA-users wrote:
> On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:
> > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via
FreeIPA-users wrote:
> >> On 23/05/2019 14:56, Rob Crittenden wrote:
> >>> lejeczek via FreeIPA-users wrote:
> >>>> hi guys,
> >>>>
> >>>> reading official guide one may assume - I do - that
"Using
SSH Without
> >>>> Passwords" should work out-of-box (centos 7.6) - is such
assumption valid?
> >>>>
> >>>> For me this does not work - ssh still asks for passwords.
> >>>>
> >>>> If this is due to some failure/problem, then where to look
and how to
> >>>> troubleshoot?
> >>> It's hard to know what you're doing, ssh from where to
where, using what?
> >>>
> >>> rob
> >> I made an assumption - which I see now was invalid - that
some experts
> >> may know mentioned guide by heart and if I quoted something
then the
> >> rest will be obvious - wrong, sorry.
> >>
> >> "Using SSH Without Passwords" is a paragraph of "Using
SSH
from Active
> >> Directory Machines for IdM Resources" which is about Kerberos
I understand.
> >>
> >> My hope was to have AD's clients be able to ssh(and maybe get
to other
> >> things like Samba) without password and with Kerberos.
> >>
> >> I see IPA's users can do that between IPA's servers
> >>
> >> ...
> >>
> >> debug1: PAM: initializing for "tester1"
> >> debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
> >> debug1: PAM: setting PAM_TTY to "ssh"
> >> debug1: userauth-request for user tester1 service
ssh-connection method
> >> gssapi-with-mic [preauth]
> >> debug1: attempt 1 failures 0 [preauth]
> >> Postponed gssapi-with-mic for tester1 from 10.5.5.66 port
43604 ssh2
> >> [preauth]
> >> debug1: Got no client credentials
> >> debug1: ssh_gssapi_k5login_exists: Checking existence of file
> >> /home/tester1/.k5login
> >> Authorized to tester1, krb5 principal tester1@private
> >> (ssh_gssapi_krb5_cmdok)
> >> debug1: do_pam_account: called
> >> Accepted gssapi-with-mic for tester1 from 10.5.5.66 port
43604 ssh2
> >> ...
> >>
> >> But a Win10Pro which is AD member which I'm trying, when ssh
as AD's
> >> user then I do not see above in the logs and such ssh(Win10
own feature)
> >> is asked for password.
> >>
> >> To sum up: AD's users off/from Win AD win-stations to IPA's
> >> members/clients with Kerberos if possible. (trust is already
established
> >> and running)
> > Hi,
> >
> > having a trust is the first requirement. Second is a ssh
client on the
> > Windows side which can do GSSAPI authentication (recent
version of putty
> > can) and has GSSAPI authentication enabled (iirc this is not
the default
> > for putty, so you have to switch it on manually). Next is that
you have
> > to use the fully-qualified DNS name of the IPA client you want
to login
> > to. If all this is set and authentication still falls back to
ask for a
> > password plase check with the klist command on the Windows
client in
> > command.exe or the Powershell if you already got a service
ticket for
> > the IPA client. If this is missing please check if there is a
> > cross-realm ticket, it has a principal starting with 'krbtgt/'
followed
> > by the IPA realm, an '@' sign and the AD realm. If this is
missing as
> > well the issue is on the AD side and the client either does
not try
> > GSSAPI at all or it does not get a cross-realm ticket from the
local DC.
> >
> > HTH
> >
> > bye,
> > Sumit
>
> I do not see tickets to IPA's domain - when I'm logged into a
Win10Pro
> (a member of win2016 AD domain).
>
> >klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
> there I see a mention of IPA domain.
>
> That is after a one-way trust was established from IPA's side,
> successfully. DNS seems to work, users seem to work.
>
> My setup IPA is subdomain of AD.
>
> Win10Pro is 1903 with openssh-client installed as/from optional
feature.
> I think it does support gssapi.
I haven't tried this ssh client so far. But typically
GSSAPIAuthentication is not enalbed by default for openssh
clients. Have
you tried to add '-o GSSAPIAuthentication=yes' or similar? Do you seen
something GSSAPI related in the debug output?
>
> After a trust is established - do we need to create groups &
mappings
> for AD users for ssh/samba to work? Guide docs I saw I
understand then
> these are only required when one needs HBAC, correct?
Yes.
>
> How to start troubleshooting?
>
> many thanks, L.
>
> >> many thanks, L.
> >>
> >>
> >>
> >> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> >> 93059F241EEEE1D0769A85F455918ABF21224EBA
> >> uid lejeczek <peljasz(a)yahoo.co.uk
<mailto:peljasz@yahoo.co.uk>>
> >> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> >> _______________________________________________
> >> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> >> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> >> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > _______________________________________________
> > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> 93059F241EEEE1D0769A85F455918ABF21224EBA
> uid lejeczek <peljasz(a)yahoo.co.uk
<mailto:peljasz@yahoo.co.uk>>
> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...