On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote: > You are absolutely right; the credentials aren't forwarded. > > I have enabled the option "allow gssapi credential delegation". So one > would expect that it should work. > > I just installed the mit kerberos tools and I can see all the options and > forwarding tickets is allowed according to the interface. Also putty is now > using the mit kerberos dll; gssapi32.dll and still I get the same results. > > So the proper question is: how do I get putty to really forward the > credentials?
This might be an issue with your putty version. Can you try Quest's version of putty http://rc.quest.com/topics/putty/ , if you are not already using it? HTH bye, Sumit > > > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden <[email protected]> wrote: > > > Han Boetes wrote: > > > >> I've set up windows with the instructions given over here: > >> > >> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<http://freeipa.com/page/Windows_authentication_against_FreeIPA> > >> > >> And all seems to be working fine. After I run klist I see valid tickets: > >> > >> Microsoft Windows [Version 6.1.7601] > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten. > >> > >> C:\Users\fh>klist > >> > >> Aktuelle Anmelde-ID ist 0:0x153b25 > >> > >> Zwischengespeicherte Tickets: (1) > >> > >> #0> Client: fh @ REALM > >> Server: krbtgt/REALM @ REALM > >> KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96 > >> Ticketkennzeichen 0x40e10000 -> forwardable renewable initial > >> pre_authen > >> t name_canonicalize > >> Startzeit: 1/4/2013 14:03:11 (lokal) > >> Endzeit: 1/5/2013 14:03:11 (lokal) > >> Erneuerungszeit: 1/11/2013 14:03:11 (lokal) > >> Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96 > >> > >> > >> I can do a passwordless login with the latest putty with kerberos > >> authentication, I disabled password and key logins. And then on the > >> host I checked klist and got this: > >> > >> [fh@test-server-ipa ~]$ klist > >> klist: No credentials cache found (ticket cache > >> FILE:/tmp/krb5cc_1554800011) > >> > >> sudo also doesn't work. To test the setup I did the same from linux host > >> and login in, sudo, klist etc etc all work fine. So I checked the sshd > >> -d output difference and the only difference I see is: > >> > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2 > >> -debug1: Received some client credentials > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2 > >> +debug1: Got no client credentials > >> > >> Where .73 is the linux host and .56 is the windows host. > >> > >> What am I missing here? > >> > > > > The problem isn't that authentication fails, it is that the credentials > > aren't forwarded, right? > > > > Does putty support this? > > > > rob > > > > > > > -- > > > > # Han > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
