Hi Rob,

Not sure what the redhat docs describe, we're not using AD with this system.

It seems somehow that GSSAPI does not forward the kerberos ticket obtained on 
the client machine correctly, when I connect to the machine I want to work on, 
it just says that the ticket has expired.

I'm still trying a few things, I'll post to the list when I've got something 
new.

/tony


On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
> If you are using gss-api and using putty to log in.
> Did you do the thing metioned in 5.3.4.5
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-managing.html#kerberos-flags-services-hosts
> also see
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerberos-for-entries.html#kerberos-flags-services-hosts
> 
> Rob
> 
> 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>>:
> 
>     Hi guys,
> 
>     We have a setup where the FreeIPA server also hosts the user's homedirs. 
> These are shared via NFSv4 and are automounted when a user logs in.
> 
>     [root@adm-001 ~]# cat /etc/exports
>     /data/home      
> 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) 
> <http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29>
> 
>     [root@adm-001 ~]# ipa automountkey-show
>     Location: default
>     Map: auto.home
>     Key: *
>       Key: *
>       Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard 
> adm-001.domain:/data/home/&
> 
> 
>     While normal ssh logins work (you ssh to the client and put in your 
> password), passwordless ssh does not work. It's obvious that passwordless 
> logins do not activate the kerberos ticket function, but that results in the 
> users being unable to read their own files in their homedirs.
> 
>     For now we ask users to not do passwordless login, but could we make the 
> latter work?
> 
>     TIA,
> 
>     /tony
> 
> 
>     --
>     Tony Albers
>     Systems administrator, IT-development
>     Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>     Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316 
> <tel:%2B45%208946%202316>
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>
>     To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org 
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 


-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to