[Freeipa-users] ssh login from windows AD trust host not working

Fri, 19 Apr 2013 07:37:21 -0700 

hi,

after succesfully configuring the trust between 2 different domains
(IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows
host to the linux host using the trusted kerberos tickets.

This is my krb.conf in the linux host:

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPA.ASENJO.NX
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 IPA.ASENJO.NX = {
  kdc = kdc.ipa.asenjo.nx:88
  admin_server = kdc.ipa.asenjo.nx:749
  default_domain = ipa.asenjo.nx
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@
$0](^.*@AD.ASENJO.NX$)s/@AD.ASENJO.NX/@ad.asenjo.nx/
  auth_to_local = DEFAULT
}

[domain_realm]
 .ipa.asenjo.nx = IPA.ASENJO.NX
 ipa.asenjo.nx = IPA.ASENJO.NX

[dbmodules]
#  IPA.ASENJO.NX = {
#    db_library = kldap
#    ldap_servers = ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket
#    ldap_kerberos_container_dn = cn=kerberos,dc=ipa,dc=asenjo,dc=nx
#    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx
#    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx
#    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
#  }

  IPA.ASENJO.NX = {
    db_library = ipadb.so
  }

and in /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, ssh, pac

domains = ipa.asenjo.nx
[nss]

[pam]


[domain/ipa.asenjo.nx]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.asenjo.nx
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kdc.ipa.asenjo.nx
chpass_provider = ipa
ipa_server = kdc.ipa.asenjo.nx
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa

I restarted the server after this change

Then I created an external group like explained here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html

And tried logging in using ssh with putty from the windows hosts (using the
login administra...@ad.asenjo.nx, with gss-api credentials delegation).
Unfortunately it keeps asking me for a password for the user
administra...@ad.asenjo.nx@kdc.ipa.asenjo.nx, so it is adding the name of
of the linux host to the login name.

Any help greatly appreciated.

-- 
groet,
natxo


--
Groeten,
natxo

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to