Do you have something like this in ~.ssh/config? Host *.example.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
> Am 26.06.2017 um 07:58 schrieb Tony Brian Albers via FreeIPA-users > <freeipa-users@lists.fedorahosted.org>: > > Hi Rob, > > Not sure what the redhat docs describe, we're not using AD with this system. > > It seems somehow that GSSAPI does not forward the kerberos ticket obtained on > the client machine correctly, when I connect to the machine I want to work > on, it just says that the ticket has expired. > > I'm still trying a few things, I'll post to the list when I've got something > new. > > /tony > > > On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote: >> If you are using gss-api and using putty to log in. >> Did you do the thing metioned in 5.3.4.5 >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-managing.html#kerberos-flags-services-hosts >> also see >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerberos-for-entries.html#kerberos-flags-services-hosts >> >> Rob >> >> 2017-06-22 13:50 GMT+02:00 Tony Brian Albers via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>>: >> >> Hi guys, >> >> We have a setup where the FreeIPA server also hosts the user's homedirs. >> These are shared via NFSv4 and are automounted when a user logs in. >> >> [root@adm-001 ~]# cat /etc/exports >> /data/home >> 172.16.216.0/24(rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338) >> <http://172.16.216.0/24%28rw,no_root_squash,sec=sys:krb5:krb5i:krb5p,fsid=1338%29> >> >> [root@adm-001 ~]# ipa automountkey-show >> Location: default >> Map: auto.home >> Key: * >> Key: * >> Mount information: -fstype=nfs4,rw,sec=krb5,intr,hard >> adm-001.domain:/data/home/& >> >> >> While normal ssh logins work (you ssh to the client and put in your >> password), passwordless ssh does not work. It's obvious that passwordless >> logins do not activate the kerberos ticket function, but that results in the >> users being unable to read their own files in their homedirs. >> >> For now we ask users to not do passwordless login, but could we make the >> latter work? >> >> TIA, >> >> /tony >> >> >> -- >> Tony Albers >> Systems administrator, IT-development >> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. >> Tel: +45 2566 2383 <tel:%2B45%202566%202383> / +45 8946 2316 >> <tel:%2B45%208946%202316> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > > > -- > Tony Albers > Systems administrator, IT-development > Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 2566 2383 / +45 8946 2316 > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org