Hi,
I've run into a dead end debugging a case of passwordless authentication between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it HOST_B), I see this:
``` Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] debug1: Received some client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 ```
The client then gets an interactive password prompt. Here are some facts and things I've tried:
* If I put the user into `.k5login` on the receiving host and it works. * The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts using GSSAPI. * I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket. * It looks like all this happens before any pam stuff kicks in (?). So I'm ruling PAM issues out. * No errors in the logs of the KDCs. * The ticket from the connecting host is not expired. * The sssd version is 1.16.0. * Turning up the debugging in sssd with `debug_level = 7` for the domain section doesn't reveal anything obvious.
What else could I check?
Thanks for any ideas, SG