On 01/04/13 06:56, Han Boetes wrote: > Your information about the quest putty version seems to be outdated. ;-) > > Quest Softare no longer maintains recent releases of PuTTY. To obtain > the latest stable release of PuTTY please goto PuTTY Download Page > * The functionality that was provided by Quest Software's PuTTY packages > have now been included in the latest releases of PuTTY, making Quest > PuTTY obsolete. > > > I'm testdriving the centrify version at the moment and... > > ~/debug% cat ~/out > Using Kerberos authentication > Using principal fh@REALM > Got host ticket host/test-server-ipa.domain@REALM > login as fh@REALM > > Kerberos authentication failed. Please check > 1) Unix login name is correct > 2) Target service principal name is correct > 3) Kerberos authentication is enabled in SSH server > 4) Clock in the host is syncrhonized with the clock in AD > > fh@REALM@test-server-ipa's password: > Last login: Fri Jan 4 14:51:25 2013 from ipa-w7.domain > [fh@test-server-ipa ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_1554800011_JDgpIu5465 > Default principal: fh@REALM > > Valid starting Expires Service principal > 01/04/13 14:52:49 01/05/13 14:52:49 krbtgt/REALM@REALM > [fh@test-server-ipa ~]$ > > That's does provide a valid ticket but not a passwordless login. > Actually I have to enter a pass twice here! > > > > > > On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose <sb...@redhat.com > <mailto:sb...@redhat.com>> wrote: > > On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote: > > You are absolutely right; the credentials aren't forwarded. > > > > I have enabled the option "allow gssapi credential delegation". So one > > would expect that it should work. > > > > I just installed the mit kerberos tools and I can see all the > options and > > forwarding tickets is allowed according to the interface. Also > putty is now > > using the mit kerberos dll; gssapi32.dll and still I get the same > results. > > > > So the proper question is: how do I get putty to really forward the > > credentials? > > This might be an issue with your putty version. Can you try Quest's > version of putty http://rc.quest.com/topics/putty/ , if you are not > already using it? > > HTH > > bye, > Sumit > > > > > > > On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: > > > > > Han Boetes wrote: > > > > > >> I've set up windows with the instructions given over here: > > >> > > >> > > http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<http://freeipa.com/page/Windows_authentication_against_FreeIPA> > > >> > > >> And all seems to be working fine. After I run klist I see valid > tickets: > > >> > > >> Microsoft Windows [Version 6.1.7601] > > >> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten. > > >> > > >> C:\Users\fh>klist > > >> > > >> Aktuelle Anmelde-ID ist 0:0x153b25 > > >> > > >> Zwischengespeicherte Tickets: (1) > > >> > > >> #0> Client: fh @ REALM > > >> Server: krbtgt/REALM @ REALM > > >> KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96 > > >> Ticketkennzeichen 0x40e10000 -> forwardable renewable > initial > > >> pre_authen > > >> t name_canonicalize > > >> Startzeit: 1/4/2013 14:03:11 (lokal) > > >> Endzeit: 1/5/2013 14:03:11 (lokal) > > >> Erneuerungszeit: 1/11/2013 14:03:11 (lokal) > > >> Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96 > > >> > > >> > > >> I can do a passwordless login with the latest putty with kerberos > > >> authentication, I disabled password and key logins. And then > on the > > >> host I checked klist and got this: > > >> > > >> [fh@test-server-ipa ~]$ klist > > >> klist: No credentials cache found (ticket cache > > >> FILE:/tmp/krb5cc_1554800011) > > >> > > >> sudo also doesn't work. To test the setup I did the same from > linux host > > >> and login in, sudo, klist etc etc all work fine. So I checked > the sshd > > >> -d output difference and the only difference I see is: > > >> > > >> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2 > > >> -debug1: Received some client credentials > > >> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2 > > >> +debug1: Got no client credentials > > >> > > >> Where .73 is the linux host and .56 is the windows host. > > >> > > >> What am I missing here? > > >> > > > > > > The problem isn't that authentication fails, it is that the > credentials > > > aren't forwarded, right? > > > > > > Does putty support this? > > > > > > rob > > > > > > > > > > > > -- > > > > > > > > # Han > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > > > > # Han > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
Just as a data point here, this can be done with the stock version of putty and windows 7 or 8 with MIT kerberos. I have been doing exactly this for a good while now, ever since the official puty integrated kerb support. However, I am not working with Windows right now so I can't give you any settings or pointers, all I can tell you is it can be done :). -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users