On 03/19/2015 07:55 PM, nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.

In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I assume).

But when I ssh from the first Solaris machine to the 2nd I am prompted for
a password instead of being automatically signed in.  The strange thing is
that it doesn't matter which machine I login to first, it's only the 2nd
hop that asks for a password.

Below are my console recording.  ipaclient1 is Linux, ipaclient5 and
ipaclient6 are Solaris.
Login from Linux -> Solaris 1 works without password
Login from Linux -> Solaris 2 works without password
Login from Solaris 1 -> Solaris 2 prompts
Login from Solaris 2 -> Solaris 1 prompts.

Assuming that you have:
IPA and AD in trust and Solaris boxes are configured against the IPA compat tree then it would be the expected behavior.

SSO is possible only with Kerberos.
You authentication on Linux is against AD (through trust) so you get a Kerberos ticket. If you issued keytabs for your Solaris systems and configured SSH to use GSSAPI then SSH would provide SSO as you describe from Linux to Solaris. But once you login into Solaris box you do not have a Kerberos ticket because it is an LDAP authentication.

You would ask what can be done about it?
Not much. To have SSO you would need to have one of the latest Kerberos versions and something like SSSD on Solaris. It does not exist and Oracle is not eager to create one.

Bottom line... move to Linux :-)


Any ideas?

---- snip ----
login as: nathan.peters
nathan.peters@10.21.19.12's password:
Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57
[nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1
Default principal: nathan.pet...@datacenter.mydomain.net

Valid starting     Expires            Service principal
03/19/15 16:44:27  03/20/15 02:44:16
krbtgt/datacenter.mydomain....@datacenter.mydomain.net
         renew until 03/20/15 16:44:27
[nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient5-sandbox-atdev-van
Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1539201103
Default principal: nathan.pet...@datacenter.mydomain.net

Valid starting                Expires                Service principal
03/19/15 23:40:06  03/20/15 09:39:23
krbtgt/datacenter.mydomain....@datacenter.mydomain.net
         renew until 03/26/15 23:40:06
[11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van
Password:
Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ exit
logout
Connection to ipaclient6-sandbox-atdev-van closed.
[11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit
logout
Connection to ipaclient5-sandbox-atdev-van closed.
[nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$
ssh ipaclient6-sandbox-atdev-van
Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
-bash-3.00$ klist
klist: No credentials cache file found (ticket cache
FILE:/tmp/krb5cc_1539201103)
-bash-3.00$ ssh ipaclient5-sandbox-atdev-van
The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)'
can't be established.
RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16'
(RSA) to the list of known hosts.
Password:
Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
[11:49 PM] ipaclient5-sandbox-atdev-van:~$





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to