subject:"\[Freeipa\-users\] GSSAPI authentication from trusted AD domain"

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-05 Thread Sumit Bose

On Wed, May 03, 2017 at 11:28:18AM +0200, Tiemen Ruiten wrote:
> Tickets on the FreeIPA host after connecting (with a password):
> 
> [adm.tie...@clients.rdmedia.com@neodymium ~]$ klist
> Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
> Default principal: adm.tie...@clients.rdmedia.com
> 
> Valid starting   Expires  Service principal
> 05/03/2017 11:26:03  05/03/2017 21:26:03  krbtgt/
> clients.rdmedia@clients.rdmedia.com
> renew until 05/04/2017 11:26:03
> 
> 
> 
> Tickets on the AD laptop after a connection attempt:
> 
> C:\Users\adm.tiemen.CLIENTS>klist
> 
> Current LogonId is 0:0x587aa
> 
> Cached Tickets: (2)
> 
> #0> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
> Server: krbtgt/CLIENTS.RDMEDIA.COM @ CLIENTS.RDMEDIA.COM
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40e1 -> forwardable renewable initial
> pre_authent name_canonicalize
> Start Time: 5/3/2017 11:12:46 (local)
> End Time:   5/3/2017 21:12:46 (local)
> Renew Time: 5/10/2017 11:12:46 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0x1 -> PRIMARY
> Kdc Called: vm-win-01.clients.rdmedia.com
> 
> #1> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
> Server: LDAP/vm-win-01.clients.rdmedia.com/clients.rdmedia.com @
> CLIENTS.RDMEDIA.COM
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40a5 -> forwardable renewable pre_authent
> ok_as_delegate name_canonicalize
> Start Time: 5/3/2017 11:12:46 (local)
> End Time:   5/3/2017 21:12:46 (local)
> Renew Time: 5/10/2017 11:12:46 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0
> Kdc Called: vm-win-01.clients.rdmedia.com

There is no ticket for
host/neodymium.test.ams.i.rdmedia@test.ams.i.rdmedia.com
nor a cross-realm ticket
krbtgt/test.ams.i.rdmedia@clients.rdmedia.com

So it looks the ssh client in the Windows host didn't try to get a
Kerberos ticket for the IPA client. Did you use the FQDN
neodymium.test.ams.i.rdmedia.com when trying to connect to the IPA
client?

According to the logs it looks like you are using kitty, have you tried
to use putty?

bye,
Sumit

> 
> 
> 
> 
> On 2 May 2017 at 19:45, Tiemen Ruiten  wrote:
> 
> > It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
> > for mapping. However on the AD host:
> >
> > Microsoft Windows [Version 6.3.9600]
> >
> > (c) 2013 Microsoft Corporation. All rights reserved.
> >
> >
> > adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist
> >
> >
> > Current LogonId is 0:0x603b58
> >
> >
> > Cached Tickets: (0)
> >
> >
> > adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>
> >
> > Note that this is the domain controller and I'm logged in using the
> > experimental Win32-OpenSSH server. Not sure if that makes a difference. I
> > am not currently in the office, so unfortunately can't turn on the only
> > joined laptop in this domain.
> >
> > How can I ensure a proper ticket is generated?
> >
> > On 2 May 2017 at 18:25, Sumit Bose  wrote:
> >
> >> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> >> > I think I just realised that my expectation may be wrong: GSSAPI login
> >> with
> >> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> >> > correct to also expect passwordless login with an AD user to a FreeIPA
> >> host?
> >>
> >> The AD user case should work as well.
> >>
> >> First please send the SSSD version you use on the IPA client,
> >> alternatively you can check if
> >> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
> >> would tell if SSSD can map the user name to the Kerberos principal of if
> >> additional configuration is needed.
> >>
> >> On the AD host please check after trying to connect with ssh if there is
> >> a proper service ticket for the IPA client by calling 'klist' in cmd.exe
> >> or PowerShell.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > On 2 May 2017 at 17:40, Jason B. Nance  wrote:
> >> >
> >> > > Hi Tiemen,
> >> > >
> >> > > To be clear, what I'm trying to do: log in from an AD account
> >> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> >> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> >> > > expect to be logged in through GSSAPI, instead I get a password
> >> prompt.
> >> > >
> >> > > I'm assuming that you are coming from a Windows client that is domain
> >> > > joined and logged into that Windows client with the same domain
> >> credentials
> >> > > that you are using to connect to the IPA-joined host.  Do you also
> >> have
> >> > > your SSH client configured to attempt GSSAPI?  It appears that you do
> >> from
> >> > > the logs you provided but I'm just double-checking.
> >> > >
> >> > > In my setup I've found that this feature does not work all of the
> >> time.
> >> > > I've not yet been able to track it down a

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-03 Thread Tiemen Ruiten

Tickets on the FreeIPA host after connecting (with a password):

[adm.tie...@clients.rdmedia.com@neodymium ~]$ klist
Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
Default principal: adm.tie...@clients.rdmedia.com

Valid starting   Expires  Service principal
05/03/2017 11:26:03  05/03/2017 21:26:03  krbtgt/
clients.rdmedia@clients.rdmedia.com
renew until 05/04/2017 11:26:03



Tickets on the AD laptop after a connection attempt:

C:\Users\adm.tiemen.CLIENTS>klist

Current LogonId is 0:0x587aa

Cached Tickets: (2)

#0> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
Server: krbtgt/CLIENTS.RDMEDIA.COM @ CLIENTS.RDMEDIA.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e1 -> forwardable renewable initial
pre_authent name_canonicalize
Start Time: 5/3/2017 11:12:46 (local)
End Time:   5/3/2017 21:12:46 (local)
Renew Time: 5/10/2017 11:12:46 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: vm-win-01.clients.rdmedia.com

#1> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
Server: LDAP/vm-win-01.clients.rdmedia.com/clients.rdmedia.com @
CLIENTS.RDMEDIA.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a5 -> forwardable renewable pre_authent
ok_as_delegate name_canonicalize
Start Time: 5/3/2017 11:12:46 (local)
End Time:   5/3/2017 21:12:46 (local)
Renew Time: 5/10/2017 11:12:46 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: vm-win-01.clients.rdmedia.com




On 2 May 2017 at 19:45, Tiemen Ruiten  wrote:

> It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
> for mapping. However on the AD host:
>
> Microsoft Windows [Version 6.3.9600]
>
> (c) 2013 Microsoft Corporation. All rights reserved.
>
>
> adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist
>
>
> Current LogonId is 0:0x603b58
>
>
> Cached Tickets: (0)
>
>
> adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>
>
> Note that this is the domain controller and I'm logged in using the
> experimental Win32-OpenSSH server. Not sure if that makes a difference. I
> am not currently in the office, so unfortunately can't turn on the only
> joined laptop in this domain.
>
> How can I ensure a proper ticket is generated?
>
> On 2 May 2017 at 18:25, Sumit Bose  wrote:
>
>> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
>> > I think I just realised that my expectation may be wrong: GSSAPI login
>> with
>> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
>> > correct to also expect passwordless login with an AD user to a FreeIPA
>> host?
>>
>> The AD user case should work as well.
>>
>> First please send the SSSD version you use on the IPA client,
>> alternatively you can check if
>> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
>> would tell if SSSD can map the user name to the Kerberos principal of if
>> additional configuration is needed.
>>
>> On the AD host please check after trying to connect with ssh if there is
>> a proper service ticket for the IPA client by calling 'klist' in cmd.exe
>> or PowerShell.
>>
>> bye,
>> Sumit
>>
>> >
>> > On 2 May 2017 at 17:40, Jason B. Nance  wrote:
>> >
>> > > Hi Tiemen,
>> > >
>> > > To be clear, what I'm trying to do: log in from an AD account
>> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
>> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
>> > > expect to be logged in through GSSAPI, instead I get a password
>> prompt.
>> > >
>> > > I'm assuming that you are coming from a Windows client that is domain
>> > > joined and logged into that Windows client with the same domain
>> credentials
>> > > that you are using to connect to the IPA-joined host.  Do you also
>> have
>> > > your SSH client configured to attempt GSSAPI?  It appears that you do
>> from
>> > > the logs you provided but I'm just double-checking.
>> > >
>> > > In my setup I've found that this feature does not work all of the
>> time.
>> > > I've not yet been able to track it down and I'm assuming it has
>> something
>> > > to do with connections to domain controllers timing out, but at this
>> point
>> > > that is speculation.
>> > >
>> > > So to answer your question, yes, that should work.  Sorry I don't have
>> > > more information for you, I guess I'm basically "me too"ing your post.
>> > >
>> > > Regards,
>> > >
>> > > j
>> > >
>> > > Is this supposed to work? Did I miss something?
>> > >
>> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
>> > >
>> > > May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
>> > > May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
>> > > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state:
>> entering fd
>> > > = 8 config len 922
>> > > May  2 17:10

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Tiemen Ruiten

It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
for mapping. However on the AD host:

Microsoft Windows [Version 6.3.9600]

(c) 2013 Microsoft Corporation. All rights reserved.


adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist


Current LogonId is 0:0x603b58


Cached Tickets: (0)


adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>

Note that this is the domain controller and I'm logged in using the
experimental Win32-OpenSSH server. Not sure if that makes a difference. I
am not currently in the office, so unfortunately can't turn on the only
joined laptop in this domain.

How can I ensure a proper ticket is generated?

On 2 May 2017 at 18:25, Sumit Bose  wrote:

> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> > I think I just realised that my expectation may be wrong: GSSAPI login
> with
> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> > correct to also expect passwordless login with an AD user to a FreeIPA
> host?
>
> The AD user case should work as well.
>
> First please send the SSSD version you use on the IPA client,
> alternatively you can check if
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
> would tell if SSSD can map the user name to the Kerberos principal of if
> additional configuration is needed.
>
> On the AD host please check after trying to connect with ssh if there is
> a proper service ticket for the IPA client by calling 'klist' in cmd.exe
> or PowerShell.
>
> bye,
> Sumit
>
> >
> > On 2 May 2017 at 17:40, Jason B. Nance  wrote:
> >
> > > Hi Tiemen,
> > >
> > > To be clear, what I'm trying to do: log in from an AD account
> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> > > expect to be logged in through GSSAPI, instead I get a password prompt.
> > >
> > > I'm assuming that you are coming from a Windows client that is domain
> > > joined and logged into that Windows client with the same domain
> credentials
> > > that you are using to connect to the IPA-joined host.  Do you also have
> > > your SSH client configured to attempt GSSAPI?  It appears that you do
> from
> > > the logs you provided but I'm just double-checking.
> > >
> > > In my setup I've found that this feature does not work all of the time.
> > > I've not yet been able to track it down and I'm assuming it has
> something
> > > to do with connections to domain controllers timing out, but at this
> point
> > > that is speculation.
> > >
> > > So to answer your question, yes, that should work.  Sorry I don't have
> > > more information for you, I guess I'm basically "me too"ing your post.
> > >
> > > Regards,
> > >
> > > j
> > >
> > > Is this supposed to work? Did I miss something?
> > >
> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
> > >
> > > May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> > > May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> > > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state:
> entering fd
> > > = 8 config len 922
> > > May  2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> > > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> > > May  2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> > > May  2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> > > May  2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
> > > newsock 5 pipe 7 sock 8
> > > May  2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after
> dupping:
> > > 3, 3
> > > May  2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155
> port
> > > 53106 on 192.168.50.63 port 22
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Client protocol version
> 2.0;
> > > client software version PuTTY_KiTTY
> > > May  2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility
> mode
> > > for protocol 2.0
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Local version string
> > > SSH-2.0-OpenSSH_6.6.1
> > > May  2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> > > May  2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init:
> preparing
> > > rlimit sandbox
> > > May  2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid
> 753
> > > May  2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor
> started
> > > May  2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 42 [preauth]
> > >

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Sumit Bose

On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> I think I just realised that my expectation may be wrong: GSSAPI login with
> a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> correct to also expect passwordless login with an AD user to a FreeIPA host?

The AD user case should work as well. 

First please send the SSSD version you use on the IPA client,
alternatively you can check if
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
would tell if SSSD can map the user name to the Kerberos principal of if
additional configuration is needed.

On the AD host please check after trying to connect with ssh if there is
a proper service ticket for the IPA client by calling 'klist' in cmd.exe
or PowerShell.

bye,
Sumit

> 
> On 2 May 2017 at 17:40, Jason B. Nance  wrote:
> 
> > Hi Tiemen,
> >
> > To be clear, what I'm trying to do: log in from an AD account
> > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> > expect to be logged in through GSSAPI, instead I get a password prompt.
> >
> > I'm assuming that you are coming from a Windows client that is domain
> > joined and logged into that Windows client with the same domain credentials
> > that you are using to connect to the IPA-joined host.  Do you also have
> > your SSH client configured to attempt GSSAPI?  It appears that you do from
> > the logs you provided but I'm just double-checking.
> >
> > In my setup I've found that this feature does not work all of the time.
> > I've not yet been able to track it down and I'm assuming it has something
> > to do with connections to domain controllers timing out, but at this point
> > that is speculation.
> >
> > So to answer your question, yes, that should work.  Sorry I don't have
> > more information for you, I guess I'm basically "me too"ing your post.
> >
> > Regards,
> >
> > j
> >
> > Is this supposed to work? Did I miss something?
> >
> > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
> >
> > May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> > May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd
> > = 8 config len 922
> > May  2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> > May  2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> > May  2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> > May  2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
> > newsock 5 pipe 7 sock 8
> > May  2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping:
> > 3, 3
> > May  2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port
> > 53106 on 192.168.50.63 port 22
> > May  2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;
> > client software version PuTTY_KiTTY
> > May  2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> > May  2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode
> > for protocol 2.0
> > May  2 17:10:32 neodymium sshd[752]: debug1: Local version string
> > SSH-2.0-OpenSSH_6.6.1
> > May  2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> > May  2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing
> > rlimit sandbox
> > May  2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
> > May  2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
> > May  2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > type 42 [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> > entering: type 43 [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> > May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> > request 42
> > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > type 43
> > May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
> > [preauth]
> > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
> > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve
> > 25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> > n

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Jason B. Nance

Hi Tiemen, 

> To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), 
> from
> an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] )
> to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ |
> neodymium.test.ams.i.rdmedia.com ] ) with the same AD account. I expect to be
> logged in through GSSAPI, instead I get a password prompt.

I'm assuming that you are coming from a Windows client that is domain joined 
and logged into that Windows client with the same domain credentials that you 
are using to connect to the IPA-joined host. Do you also have your SSH client 
configured to attempt GSSAPI? It appears that you do from the logs you provided 
but I'm just double-checking. 

In my setup I've found that this feature does not work all of the time. I've 
not yet been able to track it down and I'm assuming it has something to do with 
connections to domain controllers timing out, but at this point that is 
speculation. 

So to answer your question, yes, that should work. Sorry I don't have more 
information for you, I guess I'm basically "me too"ing your post. 

Regards, 

j 

> Is this supposed to work? Did I miss something?

> Below the SSH log from the FreeIPA host with LogLevel DEBUG3:

> May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8
> config len 922
> May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5
> pipe 7 sock 8
> May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3
> May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 
> on
> 192.168.50.63 port 22
> May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; 
> client
> software version PuTTY_KiTTY
> May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for
> protocol 2.0
> May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
> SSH-2.0-OpenSSH_6.6.1
> May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit
> sandbox
> May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
> May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
> May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 
> [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42
> [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect 
> entering:
> type 43 [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42
> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43
> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received 
> [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,
> [ mailto:curve25519-sha...@libssh.org | curve25519-sha...@libssh.org ]
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [
> mailto:aes128-...@openssh.com | aes128-...@openssh.com ] , [
> mailto:aes256-...@openssh.com | aes256-...@openssh.com ] , [
> mailto:chacha20-poly1...@openssh.com | chacha20-poly1...@openssh.com ]
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [
> mailto:rijndael-...@lysator.liu.se | rijndael-...@lysator.liu.se ] [preauth]
> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [
> mailto:aes128-...@openssh.com | aes12

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Jason B. Nance

> I think I just realised that my expectation may be wrong: GSSAPI login with a
> FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct
> to also expect passwordless login with an AD user to a FreeIPA host?

If your FreeIPA domain trusts the AD domain, then yes, you can use an AD user 
to login to a FreeIPA-joined Linux host from a domain-joined Windows client 
where you are logged into the Windows client as the AD user (assuming you have 
your HBACs setup to allow - if you didn't password auth wouldn't work either). 
Unless you've configured "default_domain_suffix" in sssd.conf the user name is 
"adu...@addomain.tld". If you have configured "default_domain_suffix" make sure 
that your user names in AD don't conflict with the user names in IPA. 

Regards, 

j 

> On 2 May 2017 at 17:40, Jason B. Nance < [ mailto:ja...@tresgeek.net |
> ja...@tresgeek.net ] > wrote:

>> Hi Tiemen,

>>> To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), 
>>> from
>>> an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com 
>>> ] )
>>> to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ |
>>> neodymium.test.ams.i.rdmedia.com ] ) with the same AD account. I expect to 
>>> be
>>> logged in through GSSAPI, instead I get a password prompt.

>> I'm assuming that you are coming from a Windows client that is domain joined 
>> and
>> logged into that Windows client with the same domain credentials that you are
>> using to connect to the IPA-joined host. Do you also have your SSH client
>> configured to attempt GSSAPI? It appears that you do from the logs you 
>> provided
>> but I'm just double-checking.

>> In my setup I've found that this feature does not work all of the time. I've 
>> not
>> yet been able to track it down and I'm assuming it has something to do with
>> connections to domain controllers timing out, but at this point that is
>> speculation.

>> So to answer your question, yes, that should work. Sorry I don't have more
>> information for you, I guess I'm basically "me too"ing your post.

>> Regards,

>> j

>>> Is this supposed to work? Did I miss something?

>>> Below the SSH log from the FreeIPA host with LogLevel DEBUG3:

>>> May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
>>> May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
>>> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 
>>> 8
>>> config len 922
>>> May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
>>> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
>>> May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
>>> May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
>>> May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5
>>> pipe 7 sock 8
>>> May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 
>>> 3
>>> May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 
>>> 53106 on
>>> 192.168.50.63 port 22
>>> May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; 
>>> client
>>> software version PuTTY_KiTTY
>>> May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
>>> May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for
>>> protocol 2.0
>>> May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
>>> SSH-2.0-OpenSSH_6.6.1
>>> May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
>>> May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing 
>>> rlimit
>>> sandbox
>>> May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
>>> May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
>>> May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled 
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
>>> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 
>>> 42
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect 
>>> entering:
>>> type 43 [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
>>> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 
>>> 42
>>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 
>>> 43
>>> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received 
>>> [preauth]
>>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
>>> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Tiemen Ruiten

I think I just realised that my expectation may be wrong: GSSAPI login with
a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
correct to also expect passwordless login with an AD user to a FreeIPA host?

On 2 May 2017 at 17:40, Jason B. Nance  wrote:

> Hi Tiemen,
>
> To be clear, what I'm trying to do: log in from an AD account
> (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> expect to be logged in through GSSAPI, instead I get a password prompt.
>
> I'm assuming that you are coming from a Windows client that is domain
> joined and logged into that Windows client with the same domain credentials
> that you are using to connect to the IPA-joined host.  Do you also have
> your SSH client configured to attempt GSSAPI?  It appears that you do from
> the logs you provided but I'm just double-checking.
>
> In my setup I've found that this feature does not work all of the time.
> I've not yet been able to track it down and I'm assuming it has something
> to do with connections to domain controllers timing out, but at this point
> that is speculation.
>
> So to answer your question, yes, that should work.  Sorry I don't have
> more information for you, I guess I'm basically "me too"ing your post.
>
> Regards,
>
> j
>
> Is this supposed to work? Did I miss something?
>
> Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
>
> May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd
> = 8 config len 922
> May  2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> May  2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> May  2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> May  2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
> newsock 5 pipe 7 sock 8
> May  2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping:
> 3, 3
> May  2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port
> 53106 on 192.168.50.63 port 22
> May  2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;
> client software version PuTTY_KiTTY
> May  2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> May  2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode
> for protocol 2.0
> May  2 17:10:32 neodymium sshd[752]: debug1: Local version string
> SSH-2.0-OpenSSH_6.6.1
> May  2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> May  2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing
> rlimit sandbox
> May  2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
> May  2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
> May  2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> type 42 [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> entering: type 43 [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
> May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> request 42
> May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> type 43
> May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
> [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+
> al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve
> 25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1 [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth]
> May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,

[Freeipa-users] GSSAPI authentication from trusted AD domain

2017-05-02 Thread Tiemen Ruiten

Hello,

I now have a working two-way trust between Active Directory (
clients.rdmedia.com) and FreeIPA (i.rdmedia.com). Users from the AD can
authenticate to FreeIPA hosts and the other way around. Great!

Next, I'm trying to achieve passwordless Single Sign On through GSSAPI for
Windows clients to FreeIPA hosts. This doesn't seem to be working, despite
setting ipa host-mod --ok-as-delegate=TRUE

To be clear, what I'm trying to do: log in from an AD account (adm.tiemen),
from an AD host (leon.clients.rdmedia.com) to a FreeIPA host (
neodymium.test.ams.i.rdmedia.com) with the same AD account. I expect to be
logged in through GSSAPI, instead I get a password prompt.

Is this supposed to work? Did I miss something?

Below the SSH log from the FreeIPA host with LogLevel DEBUG3:

May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd
= 8 config len 922
May  2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
May  2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
May  2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
May  2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock
5 pipe 7 sock 8
May  2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping:
3, 3
May  2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port
53106 on 192.168.50.63 port 22
May  2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;
client software version PuTTY_KiTTY
May  2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
May  2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode
for protocol 2.0
May  2 17:10:32 neodymium sshd[752]: debug1: Local version string
SSH-2.0-OpenSSH_6.6.1
May  2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
May  2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing
rlimit sandbox
May  2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753
May  2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started
May  2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
42 [preauth]
May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
entering: type 43 [preauth]
May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering
May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request
42
May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type
43
May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se [preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se [preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,
hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,
hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,
umac...@openssh.com,umac-...@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
[preauth]
May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

[Freeipa-users] GSSAPI authentication from trusted AD domain

8 matches

Site Navigation

Mail list logo

Footer information