Hello, I now have a working two-way trust between Active Directory ( clients.rdmedia.com) and FreeIPA (i.rdmedia.com). Users from the AD can authenticate to FreeIPA hosts and the other way around. Great!
Next, I'm trying to achieve passwordless Single Sign On through GSSAPI for Windows clients to FreeIPA hosts. This doesn't seem to be working, despite setting ipa host-mod --ok-as-delegate=TRUE To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA host ( neodymium.test.ams.i.rdmedia.com) with the same AD account. I expect to be logged in through GSSAPI, instead I get a password prompt. Is this supposed to work? Did I miss something? Below the SSH log from the FreeIPA host with LogLevel DEBUG3: May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8 config len 922 May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3 May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 on 192.168.50.63 port 22 May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; client software version PuTTY_KiTTY May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for protocol 2.0 May 2 17:10:32 neodymium sshd[752]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit sandbox May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 43 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43 May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1, umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1, umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, z...@openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, z...@openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-...@openssh.com, hmac-sha1-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-...@openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-...@openssh.com, hmac-sha1-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-...@openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: curve25519-sha...@libssh.org need=32 dh_need=32 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 121 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 May 2 17:10:32 neodymium sshd[752]: debug1: kex: curve25519-sha...@libssh.org need=32 dh_need=32 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 121 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 6 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 7 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 6 May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature 0x7f7ea34ed250(83) May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 7 May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, disabling now May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received [preauth] May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tie...@clients.rdmedia.com service ssh-connection method none [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 8 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 9 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 8 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address 192.168.10.155. May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config reprocess config len 922 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 9 May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: setting up authctxt for adm.tie...@clients.rdmedia.com [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 100 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 4 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 80 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method none [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 100 May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " adm.tie...@clients.rdmedia.com" May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to "192.168.10.155" May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tie...@clients.rdmedia.com service ssh-connection method gssapi-with-mic [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method gssapi-with-mic [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 42 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 43 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 4 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: service=ssh-connection, style= May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 80 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 42 May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 43 May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for adm.tie...@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tie...@clients.rdmedia.com service ssh-connection method keyboard-interactive [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method keyboard-interactive [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= adm.tie...@clients.rdmedia.com devs= [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices pam [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices <empty> [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 104 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 105 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 104 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 105 May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 106 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 107 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 106 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv entering, 1 messages May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 107 May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for adm.tie...@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth] -- Tiemen Ruiten Systems Engineer R&D Media
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project