hi, after succesfully configuring the trust between 2 different domains (IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows host to the linux host using the trusted kerberos tickets.
This is my krb.conf in the linux host: includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.ASENJO.NX dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] IPA.ASENJO.NX = { kdc = kdc.ipa.asenjo.nx:88 admin_server = kdc.ipa.asenjo.nx:749 default_domain = ipa.asenjo.nx pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@ $0](^.*@AD.ASENJO.NX$)s/@AD.ASENJO.NX/@ad.asenjo.nx/ auth_to_local = DEFAULT } [domain_realm] .ipa.asenjo.nx = IPA.ASENJO.NX ipa.asenjo.nx = IPA.ASENJO.NX [dbmodules] # IPA.ASENJO.NX = { # db_library = kldap # ldap_servers = ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket # ldap_kerberos_container_dn = cn=kerberos,dc=ipa,dc=asenjo,dc=nx # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd # } IPA.ASENJO.NX = { db_library = ipadb.so } and in /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam, ssh, pac domains = ipa.asenjo.nx [nss] [pam] [domain/ipa.asenjo.nx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.asenjo.nx id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kdc.ipa.asenjo.nx chpass_provider = ipa ipa_server = kdc.ipa.asenjo.nx ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa I restarted the server after this change Then I created an external group like explained here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html And tried logging in using ssh with putty from the windows hosts (using the login administra...@ad.asenjo.nx, with gss-api credentials delegation). Unfortunately it keeps asking me for a password for the user administra...@ad.asenjo.nx@kdc.ipa.asenjo.nx, so it is adding the name of of the linux host to the login name. Any help greatly appreciated. -- groet, natxo -- Groeten, natxo
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users