I must be missing something really obvious.

Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
install ipa-server” and then an “ipa-server-install.” DNS is set up
correctly and is working.

I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
domain and server were normal.

But k5login is not working as expected. If I have this .k5login file in the
admin user’s home directory on server A:

alice@charlietango.com...@charlietango.com

I would expect to be able to do this:

kinit al...@charlietango.com
ssh -K admin@serverA

from anywhere in the Kerberos realm. Instead my credentials get rejected
and I’m asked for the admin user’s password.

It feels like sshd on the server isn’t even looking at k5login. (I also
tried k5users; same result.)

The permissions on .k5login are correct. I tried it with SELinux off as
well just in case that was it.

What blindingly obvious thing have I overlooked?

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to