On Mon, Feb 18, 2013 at 09:02:13PM -0800, Brian Cook wrote: > This fixed in. That makes perfect sense, but nothing in the log made me > think that this was the problem. > > There was an auth_to_local rule setup, which I saved, which did not work. Is > this a bug that we need to open a ticket for? Seems like installer is > putting an inadequate regular expression in the rule.
You only see related messages in /var/log/secure if you increase the debug level of sshd. The auth_to_local rule not added by the installer but has to be added manually if you prefer this instead of using .k5login. The next major release of MIT Kerberos will have a plugin interface for auth_to_local which we plan to use. With this, the rules are not needed anymore. HTH bye, Sumit > > Thanks! > Brian > > > > On Feb 18, 2013, at 7:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > > Brian Cook wrote: > >> More info - attached var/log/secure, and sshd_config. > >> > >> Password authentication works, just gssapi fails. in the securecrt > >> provided I have disabled password auth as an option > > > > Create a .k5login in the home directory of your user. What I did was log in > > as administrat...@ad.example.com using the password, create .k5login > > containing that principal, log out, then I was able to log back in using > > SSO. > > > > You should be able to add something like this to /etc/krb5.conf if you have > > a lot of users you want to do SSO: > > > > auth_to_local = > > RULE:[1:$1@$0](^.*@TRUSTED.DOMAIN$)s/@TRUSTED.DOMAIN/@trusted.domain/ > > auth_to_local = DEFAULT > > > > See 'info krb5-admin "Configuration Files" "krb5.conf" "realms > > (krb5.conf)"' for more details and examples for auth_to_local. > > > > rob > > > >> > >> > >> > >> > >> > >> > >> > >> On Feb 18, 2013, at 3:58 PM, Brian Cook <bc...@redhat.com> wrote: > >> > >>> I am trying to ssh from Windows - > IPA server using GSS-API. I've tried > >>> putty, which provides very little debug out. I then downloaded securecrt > >>> which provides more output. > >>> > >>> On the server side, I just see postponed gss-with-mic and then a failure > >>> message. I'm attaching the output from securecrt. Any help would be > >>> greatly appreciated. > >>> > >>> Thanks, > >>> Brian > >>> > >>> <securecrt-out.rtf>_______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users@redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
