On Tue, May 16, 2017 at 11:30:25AM +0200, Ronald Wimmer wrote:
> On 2017-05-15 21:27, Jakub Hrozek wrote:
> > [...]
> > 
> > On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
> > > Hi,
> > > 
> > > I am confronted with a behaviour for which I do not have an explanation 
> > > for.
> > > 
> > > I am using NFS4 Kerberos automounted homeshares and and recently I got a
> > > permission denied (reproducible when I restart autofs on the server I want
> > > to connect to) from the Windows Domain. So here's what I tried:
> > > 
> > > 1) Connected via PuTTY from a Windows Machine in the windows domain
> > >      Kerberos-based login works but I get a "Permission Denied" on my home
> > > directory; klist shows no tickets
> > No tickets at all? Not even an expired ticket?
> Unfortunately no tickets.

Did you ‘Allow GSSAPI credential delegation’ in the putty configuration?
Additionally the internal Windows Kerberos handling only allows
delegation to host which have the ok-to-delegate flag set in the
Kerberos service ticket.

Please check with 'ipa host-show hostname' if 'Trusted for delegation:
True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.

HTH

bye,
Sumit

> > Does running klist in cmd.exe show anything?
> Yes, it does:
> -bash-4.2$ klist
> klist: Credentials cache keyring 'persistent:1073895519:1073895519' not
> found
> 
> And again... If I connect from my linux machine (within the ipa domain),
> tickets are there:
> 
> -bash-4.2$ klist
> Ticket cache: KEYRING:persistent:1073895519:1073895519
> Default principal: myu...@mywindowdomain.at
> 
> Valid starting       Expires              Service principal
> 2017-05-16 11:29:04  2017-05-16 15:43:45
> nfs/ipanfs.myipadomain...@myipadomain.at
> 2017-05-16 11:25:09  2017-05-16 15:43:45
> krbtgt/mywindowdomain...@mywindowdomain.at
>     renew until 2017-05-16 15:43:45
> 
> From this point on login from windows (AD domain) does - of course - work.
> 
> Any ideas how to bring some light into this?
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to