On Wed, May 03, 2017 at 11:28:18AM +0200, Tiemen Ruiten wrote:
> Tickets on the FreeIPA host after connecting (with a password):
>
> [adm.tie...@clients.rdmedia.com@neodymium ~]$ klist
> Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
> Default principal: adm.tie...@clients.rdmedia.c
Tickets on the FreeIPA host after connecting (with a password):
[adm.tie...@clients.rdmedia.com@neodymium ~]$ klist
Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
Default principal: adm.tie...@clients.rdmedia.com
Valid starting Expires Service principal
05/03/201
It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
for mapping. However on the AD host:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist
Current LogonId is 0:0x603b58
Cached Ticket
On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> I think I just realised that my expectation may be wrong: GSSAPI login with
> a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> correct to also expect passwordless login with an AD user to a FreeIPA host?
The
Hi Tiemen,
> To be clear, what I'm trying to do: log in from an AD account (adm.tiemen),
> from
> an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] )
> to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ |
> neodymium.test.ams.i.rdmedia.com ] ) with the same
> I think I just realised that my expectation may be wrong: GSSAPI login with a
> FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct
> to also expect passwordless login with an AD user to a FreeIPA host?
If your FreeIPA domain trusts the AD domain, then yes, you can use
I think I just realised that my expectation may be wrong: GSSAPI login with
a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
correct to also expect passwordless login with an AD user to a FreeIPA host?
On 2 May 2017 at 17:40, Jason B. Nance wrote:
> Hi Tiemen,
>
> To be c
Hello,
I now have a working two-way trust between Active Directory (
clients.rdmedia.com) and FreeIPA (i.rdmedia.com). Users from the AD can
authenticate to FreeIPA hosts and the other way around. Great!
Next, I'm trying to achieve passwordless Single Sign On through GSSAPI for
Windows clients to