For the relevant hosts, yes exactly like that.

/tony

On 06/26/2017 11:22 AM, David Kreitschmann via FreeIPA-users wrote:
> Do you have something like this in ~.ssh/config?
>
> Host *.example.com <http://example.com>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
>
>> Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>>:
>>
>> Hi Rob,
>>
>> Not sure what the redhat docs describe, we're not using AD with this
>> system.
>>
>> It seems somehow that GSSAPI does not forward the kerberos ticket
>> obtained on the client machine correctly, when I connect to the
>> machine I want to work on, it just says that the ticket has expired.
>>
>> I'm still trying a few things, I'll post to the list when I've got
>> something new.
>>
>> /tony
>>
>>
>> On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
>>> If you are using gss-api and using putty to log in.
>>> Did you do the thing metioned in 5.3.4.5
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-managing.html#kerberos-flags-services-hosts
>>> also see
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerberos-for-entries.html#kerberos-flags-services-hosts
>>>
>>> Rob
>>>
>>> 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users
>>> <freeipa-users@lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>>:
>>>
>>>    Hi guys,
>>>
>>>    We have a setup where the FreeIPA server also hosts the user's
>>> homedirs. These are shared via NFSv4 and are automounted when a user
>>> logs in.
>>>
>>>    [root@adm-001 ~]# cat /etc/exports
>>>    /data/home
>>>      172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338)
>>> <http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29>
>>>
>>>    [root@adm-001 ~]# ipa automountkey-show
>>>    Location: default
>>>    Map: auto.home
>>>    Key: *
>>>      Key: *
>>>      Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard
>>> adm-001.domain:/data/home/&
>>>
>>>
>>>    While normal ssh logins work (you ssh to the client and put in
>>> your password), passwordless ssh does not work. It's obvious that
>>> passwordless logins do not activate the kerberos ticket function, but
>>> that results in the users being unable to read their own files in
>>> their homedirs.
>>>
>>>    For now we ask users to not do passwordless login, but could we
>>> make the latter work?
>>>
>>>    TIA,
>>>
>>>    /tony
>>>
>>>
>>>    --
>>>    Tony Albers
>>>    Systems administrator, IT-development
>>>    Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>>>    Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316
>>> <tel:%2B45%208946%202316>
>>>    _______________________________________________
>>>    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>>    To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>>
>>
>>
>> --
>> Tony Albers
>> Systems administrator, IT-development
>> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>> Tel: +45 2566 2383 / +45 8946 2316
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to