On Wed, 07 Sep 2016, Troels Hansen wrote:
When logging in, putty only shows:
Using username "drext...@net.dr.dk".
drext...@net.dr.dk@rhel02udv.linux.dr.dk's password:

Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails:

Event Log: Using SSPI from SECUR32.DLL
Event Log: Attempting GSSAPI authentication
Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
00000000 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 ....drextrha@net
00000010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dk....ssh-co
00000020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnection....gssa
00000030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic.....
00000040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .....*.H......
Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE)
00000000 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ......*.H......
Event Log: GSSAPI authentication initialisation failed
Event Log: The target was not recognized.
"Target was not recognized" means AD DC doesn't know that
rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to
forward the authentication requests there.

What do you have in the trust properties on AD side? Specifically, what
does name routing suffixes show there?


----- On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:

On Wed, 07 Sep 2016, Troels Hansen wrote:

Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
been enabled, and GSSAPI is enabled in sshd.

Logging in using password from Windows to Linux works, and logging in
from Linux to Linux using kerberos works.

AD trust is a follows:

# ipa trust-find
----------------
2 trusts matched
----------------
Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-xxxxxxxxx-xxxxxxxx-xxxxxxxx

Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21-xxxxxx-xxxxxx-xxxxxxx
Trust type: Active Directory domain
----------------------------
Number of entries returned 2
----------------------------

# ipa trust-show place.dr.dk
Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21-xxxx-xxxx-xxxxx
Trust direction: Trusting forest
Trust type: Active Directory domain

# ipa trust-show net.dr.dk
Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-xxxxxxxxxxxxx-xxxxxxxxxxxx-xxxxxxxxxx

users are located in net.dr.dk.

From looking at the doc's this should just work... However, can't get
it to work. Am I missing something?
Make screenshots of PuTTY screens showing what you configured and what
does not work. You can also ask PuTTY to generate logs.

--
/ Alexander Bokovoy

--

Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S

T (+45) 70 20 10 63

M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to