DNS is OK.

I run kinit on client.example.com.
Access client.example.com from node.example.com:

> ssh -v ad...@client.example.com
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Credentials cache file '/tmp/krb5cc_0' not found
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Credentials cache file '/tmp/krb5cc_0' not found
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
>

It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit
on node.example.com, so there is such file. But I can find it on the
client.example.com.

Can node.example.com access client.example.com without any ipa
configuration?

Do I need to install ipa-client on the node.example.com? The document is
wrong?

On Sat, Jan 23, 2010 at 11:54 AM, Scott <scott.kamin...@gmail.com> wrote:

>
> first I would verify that dns is functional both forward and reverse.
>
> If that is okay try doing a kinit first then try to connect.
>
>
> Sent from my iPhone
>
> On Jan 22, 2010, at 7:34 PM, Michael Kang <wxi...@gmail.com> wrote:
>
> Hi all,
>
> I'm trying to configure client ssh access on Fedora 12 and I can't access
> ipaclient without password.
>
> I'm following this document:
>
> <http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html>
> http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html
>
> At the end of this document:
>
>> The IPA client should now be fully configured to accept incoming 
>> SSHconnections and authenticate with the user's
>> Kerberos credentials. Use the following command on another machine to
>> test the configuration. This should succeed without asking for a password.
>>
>  # ssh <ad...@ipaclient.example.com>ad...@ipaclient.example.com
>
> As I see it, another machine don't need to install any ipa software and it
> can access ipaclient without password.
>
> I have three Fedora machine:
>
>    - <http://ipa.example.com>ipa.example.com(IPA Server)
>    - <http://client.example.com>client.example.com(IPA Client)
>    - <http://node.example.com>node.example.com(another machine which was
>    not installed ipa-client or ipa-server)
>
> The <http://client.example.com>client.example.com can access
> <http://ipa.example.com>ipa.example.com without password. But the
> <http://node.example.com>node.example.com can't access
> <http://client.example.com>client.example.com.
>
> Do I misunderstand the document or configure incorrect?
>
> Thanks,
> Michael
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant awakens,miracles
> happen.
>
> Personal blog: <http://ufusion.org>http://ufusion.org - United Fusion
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.

Personal blog: http://ufusion.org - United Fusion
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to