Do you have something like this in ~.ssh/config?

Host *.example.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


> Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org>:
> 
> Hi Rob,
> 
> Not sure what the redhat docs describe, we're not using AD with this system.
> 
> It seems somehow that GSSAPI does not forward the kerberos ticket obtained on 
> the client machine correctly, when I connect to the machine I want to work 
> on, it just says that the ticket has expired.
> 
> I'm still trying a few things, I'll post to the list when I've got something 
> new.
> 
> /tony
> 
> 
> On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
>> If you are using gss-api and using putty to log in.
>> Did you do the thing metioned in 5.3.4.5
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-managing.html#kerberos-flags-services-hosts
>> also see
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerberos-for-entries.html#kerberos-flags-services-hosts
>> 
>> Rob
>> 
>> 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users 
>> <freeipa-users@lists.fedorahosted.org 
>> <mailto:freeipa-users@lists.fedorahosted.org>>:
>> 
>>    Hi guys,
>> 
>>    We have a setup where the FreeIPA server also hosts the user's homedirs. 
>> These are shared via NFSv4 and are automounted when a user logs in.
>> 
>>    [root@adm-001 ~]# cat /etc/exports
>>    /data/home      
>> 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) 
>> <http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29>
>> 
>>    [root@adm-001 ~]# ipa automountkey-show
>>    Location: default
>>    Map: auto.home
>>    Key: *
>>      Key: *
>>      Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard 
>> adm-001.domain:/data/home/&
>> 
>> 
>>    While normal ssh logins work (you ssh to the client and put in your 
>> password), passwordless ssh does not work. It's obvious that passwordless 
>> logins do not activate the kerberos ticket function, but that results in the 
>> users being unable to read their own files in their homedirs.
>> 
>>    For now we ask users to not do passwordless login, but could we make the 
>> latter work?
>> 
>>    TIA,
>> 
>>    /tony
>> 
>> 
>>    --
>>    Tony Albers
>>    Systems administrator, IT-development
>>    Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
>>    Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316 
>> <tel:%2B45%208946%202316>
>>    _______________________________________________
>>    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
>> <mailto:freeipa-users@lists.fedorahosted.org>
>>    To unsubscribe send an email to 
>> freeipa-users-le...@lists.fedorahosted.org 
>> <mailto:freeipa-users-le...@lists.fedorahosted.org>
>> 
>> 
>> 
>> 
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> 
> 
> 
> --
> Tony Albers
> Systems administrator, IT-development
> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 2566 2383 / +45 8946 2316
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to