hi, We have a working cross realm trust between AD (2016, domain.local) -> Idm (rhel 7.9, idm.domain.local).
So we can log in using our AD credentials to the rhel servers, and get kerberos tickets and the rbac rules are enforced coupled to AD groups mapped to Idm external groups. If i run klist.exe on a cmd prompt, I see several DOMAIN.LOCAL tickets on the Windows client. One thing I cannot seem to get working is to use putty with gssapi delegation (user [email protected] and selecting the gssapi credentials delegation) on a windows client joined to AD. So using name/password it works, but single sign on does not. The only thing I can think of is a firewall, but I cannot find any documentation about firewall requirements between a windows client and a idm host. The only port open that I know of is 22/tcp for sshd, so the windows host can get to putty. This is a pretty locked down setup, I have no access to the firewall logs or administrator rights on the windows client to run a packet capture. Do you need kerberos access from the windows clients to the Idm servers for the trust? -- regards, Natxo
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
