On Thu, 2018-09-06 at 05:08 +0200, Jochen Hein via FreeIPA-users wrote: > > You used "ssh ipa01", right? And the host has been enrolleed with > ipa01.theinside.rnr?
Yes. > I have in my ~/.ssh/config: > CanonicalizeHostname always > CanonicalDomains example.org I can try that. But, it doesn't answer my question: why does GSSAPI delegation work for some hosts and not others? I'm going to assume I did something wrong, but I don't know what. For example, I can ssh from my Fedora desktop to ipa01. I don't have to use a password or an ssh key because my kerberos ticket allows me access. Then, from ipa01, I can ssh to anything else in the freeipa domain without a password or ssh key because GSSAPI delegation allows me access. I have some servers where I can login using kerberos tickets from my Fedora desktop, but GSSAPI delegation fails. I haven't been able to find a difference between them. -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
