On 01/04/13 06:56, Han Boetes wrote:
> Your information about the quest putty version seems to be outdated. ;-)
> 
> Quest Softare no longer maintains recent releases of PuTTY. To obtain
> the latest stable release of PuTTY please goto PuTTY Download Page
> * The functionality that was provided by Quest Software's PuTTY packages
> have now been included in the latest releases of PuTTY, making Quest
> PuTTY obsolete.
> 
> 
> I'm testdriving the centrify version at the moment and...
> 
> ~/debug% cat ~/out 
> Using Kerberos authentication
> Using principal fh@REALM
> Got host ticket host/test-server-ipa.domain@REALM
> login as fh@REALM
> 
> Kerberos authentication failed.  Please check
> 1) Unix login name is correct
> 2) Target service principal name is correct
> 3) Kerberos authentication is enabled in SSH server
> 4) Clock in the host is syncrhonized with the clock in AD
> 
> fh@REALM@test-server-ipa's password:
> Last login: Fri Jan  4 14:51:25 2013 from ipa-w7.domain
> [fh@test-server-ipa ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465
> Default principal: fh@REALM
> 
> Valid starting     Expires            Service principal
> 01/04/13 14:52:49  01/05/13 14:52:49  krbtgt/REALM@REALM
> [fh@test-server-ipa ~]$
> 
> That's does provide a valid ticket but not a passwordless login.
> Actually I have to enter a pass twice here!
> 
> 
> 
> 
> 
> On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose <sb...@redhat.com
> <mailto:sb...@redhat.com>> wrote:
> 
>     On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
>     > You are absolutely right; the credentials aren't forwarded.
>     >
>     > I have enabled the option "allow gssapi credential delegation". So one
>     > would expect that it should work.
>     >
>     > I just installed the mit kerberos tools and I can see all the
>     options and
>     > forwarding tickets is allowed according to the interface. Also
>     putty is now
>     > using the mit kerberos dll; gssapi32.dll and still I get the same
>     results.
>     >
>     > So the proper question is: how do I get putty to really forward the
>     > credentials?
> 
>     This might be an issue with your putty version. Can you try Quest's
>     version of putty http://rc.quest.com/topics/putty/ , if you are not
>     already using it?
> 
>     HTH
> 
>     bye,
>     Sumit
> 
>     >
>     >
>     > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden
>     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
>     >
>     > > Han Boetes wrote:
>     > >
>     > >> I've set up windows with the instructions given over here:
>     > >>
>     > >>
>     
> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<http://freeipa.com/page/Windows_authentication_against_FreeIPA>
>     > >>
>     > >> And all seems to be working fine. After I run klist I see valid
>     tickets:
>     > >>
>     > >> Microsoft Windows [Version 6.1.7601]
>     > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>     > >>
>     > >> C:\Users\fh>klist
>     > >>
>     > >> Aktuelle Anmelde-ID ist 0:0x153b25
>     > >>
>     > >> Zwischengespeicherte Tickets: (1)
>     > >>
>     > >> #0>     Client: fh @ REALM
>     > >>          Server: krbtgt/REALM @ REALM
>     > >>          KerbTicket (Verschl├╝sselungstyp): AES-256-CTS-HMAC-SHA1-96
>     > >>          Ticketkennzeichen 0x40e10000 -> forwardable renewable
>     initial
>     > >> pre_authen
>     > >> t name_canonicalize
>     > >>          Startzeit: 1/4/2013 14:03:11 (lokal)
>     > >>          Endzeit:   1/5/2013 14:03:11 (lokal)
>     > >>          Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
>     > >>          Sitzungsschl├╝sseltyp: AES-256-CTS-HMAC-SHA1-96
>     > >>
>     > >>
>     > >> I can do a passwordless login with the latest putty with kerberos
>     > >> authentication,  I disabled password and key logins. And then
>     on the
>     > >> host I checked klist and got this:
>     > >>
>     > >> [fh@test-server-ipa ~]$ klist
>     > >> klist: No credentials cache found (ticket cache
>     > >> FILE:/tmp/krb5cc_1554800011)
>     > >>
>     > >> sudo also doesn't work. To test the setup I did the same from
>     linux host
>     > >> and login in, sudo, klist etc etc all work fine. So I checked
>     the sshd
>     > >> -d output difference and the only difference I see is:
>     > >>
>     > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
>     > >> -debug1: Received some client credentials
>     > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
>     > >> +debug1: Got no client credentials
>     > >>
>     > >> Where .73 is the linux host and .56 is the windows host.
>     > >>
>     > >> What am I missing here?
>     > >>
>     > >
>     > > The problem isn't that authentication fails, it is that the
>     credentials
>     > > aren't forwarded, right?
>     > >
>     > > Does putty support this?
>     > >
>     > > rob
>     > >
>     > >
>     >
>     >
>     > --
>     >
>     >
>     >
>     > # Han
> 
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
> 
> -- 
> 
> 
> 
> # Han
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

Just as a data point here, this can be done with the stock version of
putty and windows 7 or 8 with MIT kerberos. I have been doing exactly
this for a good while now, ever since the official puty integrated kerb
support. However, I am not working with Windows right now so I can't
give you any settings or pointers, all I can tell you is it can be done :).

-Erinn

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to