On Tue, May 16, 2017 at 11:30:25AM +0200, Ronald Wimmer wrote: > On 2017-05-15 21:27, Jakub Hrozek wrote: > > [...] > > > > On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > > > Hi, > > > > > > I am confronted with a behaviour for which I do not have an explanation > > > for. > > > > > > I am using NFS4 Kerberos automounted homeshares and and recently I got a > > > permission denied (reproducible when I restart autofs on the server I want > > > to connect to) from the Windows Domain. So here's what I tried: > > > > > > 1) Connected via PuTTY from a Windows Machine in the windows domain > > > Kerberos-based login works but I get a "Permission Denied" on my home > > > directory; klist shows no tickets > > No tickets at all? Not even an expired ticket? > Unfortunately no tickets.
Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket. Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'. HTH bye, Sumit > > Does running klist in cmd.exe show anything? > Yes, it does: > -bash-4.2$ klist > klist: Credentials cache keyring 'persistent:1073895519:1073895519' not > found > > And again... If I connect from my linux machine (within the ipa domain), > tickets are there: > > -bash-4.2$ klist > Ticket cache: KEYRING:persistent:1073895519:1073895519 > Default principal: myu...@mywindowdomain.at > > Valid starting Expires Service principal > 2017-05-16 11:29:04 2017-05-16 15:43:45 > nfs/ipanfs.myipadomain...@myipadomain.at > 2017-05-16 11:25:09 2017-05-16 15:43:45 > krbtgt/mywindowdomain...@mywindowdomain.at > renew until 2017-05-16 15:43:45 > > From this point on login from windows (AD domain) does - of course - work. > > Any ideas how to bring some light into this? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org