Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Alexander Bokovoy 

On Wed, 07 Sep 2016, Troels Hansen wrote:

- On Sep 7, 2016, at 10:36 AM, Alexander Bokovoy aboko...@redhat.com wrote:


How exactly did you establish the trust? I see you have one-way trust
but did you establish it with AD admin credentials or using a shared
secret? If the latter, it is a known issue that AD does not activate the
trust for shared secret one-way case and aforementioned bug prevents us
to validate the rust afterwards.



Not quite sure actually.
I can remember we tried using shared secret but not sure if we got it
to work or if we falled back to user and password (bash history on IPA
server expired).

There are two solutions here: use admin credentials to establish one-way
trust or use two-way trust (whether with shared secret or admin
credentials).

You can re-establish trust. It will drop the trusted domain objects on
both sides and re-create them, but the rest will be kept intact on IPA
side, so it could be used to repair such cases.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 


- On Sep 7, 2016, at 10:31 AM, Sumit Bose sb...@redhat.com wrote:

> 
> So I guess there is no cross-realm ticket either, i.e.
> krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain
> is listed in the 'Name Suffix Routing' tab in the trust properties of
> the IPA domain? Additionally please check if the DNS SRV records like
> e.g. _kerberos._udp.ipa.domain can be resolved on the AD side.
> 


No, no cross realm tickets on Windows client. Its a one-way trust if that makes 
a difference?
DNS is working. DNS config is only done on AD side, so IPA dns config is done 
there and Linux clients is configured to use AD as DNS.

Alexander just wrote that if we had used shared secret to create the trust the 
routing is missing and can't be fetched afterwards.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 
- On Sep 7, 2016, at 10:36 AM, Alexander Bokovoy aboko...@redhat.com wrote:

> How exactly did you establish the trust? I see you have one-way trust
> but did you establish it with AD admin credentials or using a shared
> secret? If the latter, it is a known issue that AD does not activate the
> trust for shared secret one-way case and aforementioned bug prevents us
> to validate the rust afterwards.


Not quite sure actually.
I can remember we tried using shared secret but not sure if we got it to work 
or if we falled back to user and password (bash history on IPA server expired).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Alexander Bokovoy 

On Wed, 07 Sep 2016, Troels Hansen wrote:


- On Sep 7, 2016, at 9:55 AM, Alexander Bokovoy aboko...@redhat.com wrote:


"Target was not recognized" means AD DC doesn't know that
rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to
forward the authentication requests there.

What do you have in the trust properties on AD side? Specifically, what
does name routing suffixes show there?


Yes, its correct, there is no routing configured.
I can't see to be able to add it manually, and auto refresh doesn't work:
https://fedorahosted.org/freeipa/ticket/5683

How exactly did you establish the trust? I see you have one-way trust
but did you establish it with AD admin credentials or using a shared
secret? If the latter, it is a known issue that AD does not activate the
trust for shared secret one-way case and aforementioned bug prevents us
to validate the rust afterwards.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Sumit Bose 
On Wed, Sep 07, 2016 at 09:55:45AM +0200, Troels Hansen wrote:
> 
> 
> - On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote:
> 
> > Additionally please check the klist output on the Windows client. It
> > should show the host principal of the Linux client
> > (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd
> > logs on the Linux client with a high debug level might also have some
> > hints why GSSAPI authentication failed.
> > 
> 
> 
> Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal 
> for thc DC's

So I guess there is no cross-realm ticket either, i.e.
krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain
is listed in the 'Name Suffix Routing' tab in the trust properties of
the IPA domain? Additionally please check if the DNS SRV records like
e.g. _kerberos._udp.ipa.domain can be resolved on the AD side.

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 

- On Sep 7, 2016, at 10:17 AM, Troels Hansen t...@casalogic.dk wrote:

> 
> Yes, its correct, there is no routing configured.
> I can't see to be able to add it manually, and auto refresh doesn't work:
> https://fedorahosted.org/freeipa/ticket/5683
> 

According to the DOC's it should work?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#pic.trust-refresh-routing

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 

- On Sep 7, 2016, at 9:55 AM, Alexander Bokovoy aboko...@redhat.com wrote:

> "Target was not recognized" means AD DC doesn't know that
> rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to
> forward the authentication requests there.
> 
> What do you have in the trust properties on AD side? Specifically, what
> does name routing suffixes show there?

Yes, its correct, there is no routing configured.
I can't see to be able to add it manually, and auto refresh doesn't work:
https://fedorahosted.org/freeipa/ticket/5683

??

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Alexander Bokovoy 

On Wed, 07 Sep 2016, Troels Hansen wrote:

When logging in, putty only shows:
Using username "drext...@net.dr.dk".
drext...@net.dr.dk@rhel02udv.linux.dr.dk's password:

Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails:

Event Log: Using SSPI from SECUR32.DLL
Event Log: Attempting GSSAPI authentication
Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 drextrha@net
0010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dkssh-co
0020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnectiongssa
0030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic.
0040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .*.H..
Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE)
 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ..*.H..
Event Log: GSSAPI authentication initialisation failed
Event Log: The target was not recognized.

"Target was not recognized" means AD DC doesn't know that
rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to
forward the authentication requests there.

What do you have in the trust properties on AD side? Specifically, what
does name routing suffixes show there?



- On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy  wrote:


On Wed, 07 Sep 2016, Troels Hansen wrote:



Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
been enabled, and GSSAPI is enabled in sshd.



Logging in using password from Windows to Linux works, and logging in
from Linux to Linux using kerberos works.



AD trust is a follows:



# ipa trust-find

2 trusts matched

Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-x--



Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21-xx-xx-xxx
Trust type: Active Directory domain

Number of entries returned 2




# ipa trust-show place.dr.dk
Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21---x
Trust direction: Trusting forest
Trust type: Active Directory domain



# ipa trust-show net.dr.dk
Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-x--xx



users are located in net.dr.dk.



From looking at the doc's this should just work... However, can't get
it to work. Am I missing something?

Make screenshots of PuTTY screens showing what you configured and what
does not work. You can also ask PuTTY to generate logs.



--
/ Alexander Bokovoy


--

Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S

T (+45) 70 20 10 63

M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 


- On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote:

> Additionally please check the klist output on the Windows client. It
> should show the host principal of the Linux client
> (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd
> logs on the Linux client with a high debug level might also have some
> hints why GSSAPI authentication failed.
> 


Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal 
for thc DC's

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen 
When logging in, putty only shows: 
Using username "drext...@net.dr.dk". 
drext...@net.dr.dk@rhel02udv.linux.dr.dk's password: 

Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails: 

Event Log: Using SSPI from SECUR32.DLL 
Event Log: Attempting GSSAPI authentication 
Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 
 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 drextrha@net 
0010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dkssh-co 
0020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnectiongssa 
0030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic. 
0040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .*.H.. 
Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) 
 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ..*.H.. 
Event Log: GSSAPI authentication initialisation failed 
Event Log: The target was not recognized. 

- On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy  
wrote: 

> On Wed, 07 Sep 2016, Troels Hansen wrote:

>> Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
>> and trying to get Putty GSSAPI login to work. In Putty GSSAPI have
>> been enabled, and GSSAPI is enabled in sshd.

>> Logging in using password from Windows to Linux works, and logging in
>> from Linux to Linux using kerberos works.

>> AD trust is a follows:

>> # ipa trust-find
>> 
>> 2 trusts matched
>> 
>> Realm name: net.dr.dk
>> Domain NetBIOS name: NET
>> Domain Security Identifier: S-1-5-21-x--

>> Realm name: place.dr.dk
>> Domain NetBIOS name: PLACE
>> Domain Security Identifier: S-1-5-21-xx-xx-xxx
>> Trust type: Active Directory domain
>> 
>> Number of entries returned 2
>> 

>> # ipa trust-show place.dr.dk
>> Realm name: place.dr.dk
>> Domain NetBIOS name: PLACE
>> Domain Security Identifier: S-1-5-21---x
>> Trust direction: Trusting forest
>> Trust type: Active Directory domain

>> # ipa trust-show net.dr.dk
>> Realm name: net.dr.dk
>> Domain NetBIOS name: NET
>> Domain Security Identifier: S-1-5-21-x--xx

>> users are located in net.dr.dk.

>>> From looking at the doc's this should just work... However, can't get
>>> it to work. Am I missing something?
> Make screenshots of PuTTY screens showing what you configured and what
> does not work. You can also ask PuTTY to generate logs.

> --
> / Alexander Bokovoy

-- 

Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Sumit Bose 
On Wed, Sep 07, 2016 at 10:27:17AM +0300, Alexander Bokovoy wrote:
> On Wed, 07 Sep 2016, Troels Hansen wrote:
> > Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
> > and trying to get Putty GSSAPI login to work.  In Putty GSSAPI have
> > been enabled, and GSSAPI is enabled in sshd.
> > 
> > Logging in using password from Windows to Linux works, and logging in
> > from Linux to Linux using kerberos works.
> > 
> > AD trust is a follows:
> > 
> > # ipa trust-find
> > 
> > 2 trusts matched
> > 
> > Realm name: net.dr.dk
> > Domain NetBIOS name: NET
> > Domain Security Identifier: S-1-5-21-x--
> > 
> > Realm name: place.dr.dk
> > Domain NetBIOS name: PLACE
> > Domain Security Identifier: S-1-5-21-xx-xx-xxx
> > Trust type: Active Directory domain
> > 
> > Number of entries returned 2
> > 
> > 
> > # ipa trust-show place.dr.dk
> > Realm name: place.dr.dk
> > Domain NetBIOS name: PLACE
> > Domain Security Identifier: S-1-5-21---x
> > Trust direction: Trusting forest
> > Trust type: Active Directory domain
> > 
> > # ipa trust-show net.dr.dk
> > Realm name: net.dr.dk
> > Domain NetBIOS name: NET
> > Domain Security Identifier: S-1-5-21-x--xx
> > 
> > users are located in net.dr.dk.
> > 
> > > From looking at the doc's this should just work... However, can't get
> > > it to work. Am I missing something?
> Make screenshots of PuTTY screens showing what you configured and what
> does not work. You can also ask PuTTY to generate logs.

Additionally please check the klist output on the Windows client. It
should show the host principal of the Linux client
(host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd
logs on the Linux client with a high debug level might also have some
hints why GSSAPI authentication failed.

HTH

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Alexander Bokovoy 

On Wed, 07 Sep 2016, Troels Hansen wrote:

Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust
and trying to get Putty GSSAPI login to work.  In Putty GSSAPI have
been enabled, and GSSAPI is enabled in sshd.

Logging in using password from Windows to Linux works, and logging in
from Linux to Linux using kerberos works.

AD trust is a follows:

# ipa trust-find

2 trusts matched

Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-x--

Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21-xx-xx-xxx
Trust type: Active Directory domain

Number of entries returned 2


# ipa trust-show place.dr.dk
Realm name: place.dr.dk
Domain NetBIOS name: PLACE
Domain Security Identifier: S-1-5-21---x
Trust direction: Trusting forest
Trust type: Active Directory domain

# ipa trust-show net.dr.dk
Realm name: net.dr.dk
Domain NetBIOS name: NET
Domain Security Identifier: S-1-5-21-x--xx

users are located in net.dr.dk.


From looking at the doc's this should just work... However, can't get
it to work. Am I missing something?

Make screenshots of PuTTY screens showing what you configured and what
does not work. You can also ask PuTTY to generate logs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project