>From what I understand from your email, 

You don't have kerberos credentials that's why its complaining about not being 
able to read the file /tmp/krb5cc_0. 

Firstly, do the admin account in ipaclient.example.com exist. And if so, can 
you get a kerberos ticket for admin from node.example.com. 

You should have a minimally working kerberos client configuration for 
node.example.com i.e. krb5.conf.  

John Robert Mendoza

--- On Sat, 1/23/10, Michael Kang <wxi...@gmail.com> wrote:

From: Michael Kang <wxi...@gmail.com>
Subject: Re: [Freeipa-users] Configuring Client SSH Access Failure
To: "Scott" <scott.kamin...@gmail.com>
Cc: "freeipa-users" <freeipa-users@redhat.com>
Date: Saturday, 23 January, 2010, 1:12 PM

DNS is OK.

I run kinit on client.example.com.
Access client.example.com from node.example.com:

ssh -v ad...@client.example.com
debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information

It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit on 
node.example.com, so there is such file. But I can find it on the 
client.example.com.


Can node.example.com access client.example.com without any ipa configuration?

Do I need to install ipa-client on the node.example.com? The document is wrong?


On Sat, Jan 23, 2010 at 11:54 AM, Scott <scott.kamin...@gmail.com> wrote:


first I would verify that dns is functional both forward and reverse. 
If that is okay try doing a kinit first then try to connect. 

Sent from my iPhone

On Jan 22, 2010, at 7:34 PM, Michael Kang <wxi...@gmail.com> wrote:


Hi all,

I'm trying to configure client ssh access on Fedora 12 and I can't access 
ipaclient without password.

I'm following this document:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html



At the end of this document:

                        The IPA client should now be fully configured to accept 
incoming SSH connections and authenticate with the user's Kerberos
credentials. Use the following command on another machine to test the
configuration. This should succeed without asking for a password. 
                         # ssh ad...@ipaclient.example.com 
                As I see it, another machine don't need to install any ipa 
software and it can access ipaclient without password.

I have three Fedora machine:
ipa.example.com(IPA Server)

client.example.com(IPA Client)node.example.com(another machine which was not 
installed ipa-client or ipa-server)
The client.example.com can access ipa.example.com without password. But the 
node.example.com can't access client.example.com.



Do I misunderstand the document or configure incorrect?

Thanks,
Michael

-- 
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles 
happen.



Personal blog: http://ufusion.org - United Fusion

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


-- 

Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles 
happen.

Personal blog: http://ufusion.org - United Fusion


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


      Open emails faster. Yahoo! recommends that you upgrade your browser to 
the new Internet Explorer 8 optimized for Yahoo! Get it here! 
http://downloads.yahoo.com/sg/internetexplorer/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to