On Tue, 26 May 2015, Leszek Miś wrote:
Hi Alexander,
thank you for your fast reply.

I've already executed: # ipa host-mod --ok-as-delegate=TRUE but still cant
log in using GSSAPI to ipa clients.

Please find answers below:
1. Yes, logging to Linux IPA Client (Centos 6.6) without entering password
is not working from AD-joined Windows station with PuTTY. Logging to IPA
Master server without entering password (using gssapi) works ok.
2. -
3. Logging in to ipa clients from AD-joined Windows station with Putty
(0.64) always requires password and then Kerberos ticket is available in
the shell.

After I changed loglevel in /etc/sshd/sshd_config on ipa client to LogLevel
Debug i found in /var/log/secure:
....
debug1: userauth-request for user leszek service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "leszek"
...
debug1: Postponed gssapi-with-mic for leszek from X.X.X.X
debug1: Got no client credentials
Failed gssapi-with-mic for user leszek

After entering password and logging to system I found this in
/var/log/secure:
...
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Can you provide a full log level DEBUG3 off the list?
I'm a bit busy so it will take some time to respond.

/var/log/sssd/sssd_domain.log
...
[ipa_subdom_get_forest] (0x0400: 4th component is not 'trust', nothing to
do.
...
This can be ignored, it is SSSD internal debug output, not related to
your issues.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to