Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, 07 Sep 2016, Troels Hansen wrote: - On Sep 7, 2016, at 10:36 AM, Alexander Bokovoy aboko...@redhat.com wrote: How exactly did you establish the trust? I see you have one-way trust but did you establish it with AD admin credentials or using a shared secret? If the latter, it is a known issue that AD does not activate the trust for shared secret one-way case and aforementioned bug prevents us to validate the rust afterwards. Not quite sure actually. I can remember we tried using shared secret but not sure if we got it to work or if we falled back to user and password (bash history on IPA server expired). There are two solutions here: use admin credentials to establish one-way trust or use two-way trust (whether with shared secret or admin credentials). You can re-establish trust. It will drop the trusted domain objects on both sides and re-create them, but the rest will be kept intact on IPA side, so it could be used to repair such cases. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
- On Sep 7, 2016, at 10:31 AM, Sumit Bose sb...@redhat.com wrote: > > So I guess there is no cross-realm ticket either, i.e. > krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain > is listed in the 'Name Suffix Routing' tab in the trust properties of > the IPA domain? Additionally please check if the DNS SRV records like > e.g. _kerberos._udp.ipa.domain can be resolved on the AD side. > No, no cross realm tickets on Windows client. Its a one-way trust if that makes a difference? DNS is working. DNS config is only done on AD side, so IPA dns config is done there and Linux clients is configured to use AD as DNS. Alexander just wrote that if we had used shared secret to create the trust the routing is missing and can't be fetched afterwards. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
- On Sep 7, 2016, at 10:36 AM, Alexander Bokovoy aboko...@redhat.com wrote: > How exactly did you establish the trust? I see you have one-way trust > but did you establish it with AD admin credentials or using a shared > secret? If the latter, it is a known issue that AD does not activate the > trust for shared secret one-way case and aforementioned bug prevents us > to validate the rust afterwards. Not quite sure actually. I can remember we tried using shared secret but not sure if we got it to work or if we falled back to user and password (bash history on IPA server expired). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, 07 Sep 2016, Troels Hansen wrote: - On Sep 7, 2016, at 9:55 AM, Alexander Bokovoy aboko...@redhat.com wrote: "Target was not recognized" means AD DC doesn't know that rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to forward the authentication requests there. What do you have in the trust properties on AD side? Specifically, what does name routing suffixes show there? Yes, its correct, there is no routing configured. I can't see to be able to add it manually, and auto refresh doesn't work: https://fedorahosted.org/freeipa/ticket/5683 How exactly did you establish the trust? I see you have one-way trust but did you establish it with AD admin credentials or using a shared secret? If the latter, it is a known issue that AD does not activate the trust for shared secret one-way case and aforementioned bug prevents us to validate the rust afterwards. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, Sep 07, 2016 at 09:55:45AM +0200, Troels Hansen wrote: > > > - On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote: > > > Additionally please check the klist output on the Windows client. It > > should show the host principal of the Linux client > > (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd > > logs on the Linux client with a high debug level might also have some > > hints why GSSAPI authentication failed. > > > > > Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal > for thc DC's So I guess there is no cross-realm ticket either, i.e. krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain is listed in the 'Name Suffix Routing' tab in the trust properties of the IPA domain? Additionally please check if the DNS SRV records like e.g. _kerberos._udp.ipa.domain can be resolved on the AD side. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
- On Sep 7, 2016, at 10:17 AM, Troels Hansen t...@casalogic.dk wrote: > > Yes, its correct, there is no routing configured. > I can't see to be able to add it manually, and auto refresh doesn't work: > https://fedorahosted.org/freeipa/ticket/5683 > According to the DOC's it should work? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#pic.trust-refresh-routing -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
- On Sep 7, 2016, at 9:55 AM, Alexander Bokovoy aboko...@redhat.com wrote: > "Target was not recognized" means AD DC doesn't know that > rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to > forward the authentication requests there. > > What do you have in the trust properties on AD side? Specifically, what > does name routing suffixes show there? Yes, its correct, there is no routing configured. I can't see to be able to add it manually, and auto refresh doesn't work: https://fedorahosted.org/freeipa/ticket/5683 ?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, 07 Sep 2016, Troels Hansen wrote: When logging in, putty only shows: Using username "drext...@net.dr.dk". drext...@net.dr.dk@rhel02udv.linux.dr.dk's password: Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails: Event Log: Using SSPI from SECUR32.DLL Event Log: Attempting GSSAPI authentication Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 drextrha@net 0010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dkssh-co 0020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnectiongssa 0030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic. 0040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .*.H.. Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ..*.H.. Event Log: GSSAPI authentication initialisation failed Event Log: The target was not recognized. "Target was not recognized" means AD DC doesn't know that rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to forward the authentication requests there. What do you have in the trust properties on AD side? Specifically, what does name routing suffixes show there? - On Sep 7, 2016, at 9:27 AM, Alexander Bokovoywrote: On Wed, 07 Sep 2016, Troels Hansen wrote: Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust and trying to get Putty GSSAPI login to work. In Putty GSSAPI have been enabled, and GSSAPI is enabled in sshd. Logging in using password from Windows to Linux works, and logging in from Linux to Linux using kerberos works. AD trust is a follows: # ipa trust-find 2 trusts matched Realm name: net.dr.dk Domain NetBIOS name: NET Domain Security Identifier: S-1-5-21-x-- Realm name: place.dr.dk Domain NetBIOS name: PLACE Domain Security Identifier: S-1-5-21-xx-xx-xxx Trust type: Active Directory domain Number of entries returned 2 # ipa trust-show place.dr.dk Realm name: place.dr.dk Domain NetBIOS name: PLACE Domain Security Identifier: S-1-5-21---x Trust direction: Trusting forest Trust type: Active Directory domain # ipa trust-show net.dr.dk Realm name: net.dr.dk Domain NetBIOS name: NET Domain Security Identifier: S-1-5-21-x--xx users are located in net.dr.dk. From looking at the doc's this should just work... However, can't get it to work. Am I missing something? Make screenshots of PuTTY screens showing what you configured and what does not work. You can also ask PuTTY to generate logs. -- / Alexander Bokovoy -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
- On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote: > Additionally please check the klist output on the Windows client. It > should show the host principal of the Linux client > (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd > logs on the Linux client with a high debug level might also have some > hints why GSSAPI authentication failed. > Hmm, no host tickets. Only krbtgt for the domain and LDAP and CIFS principal for thc DC's -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
When logging in, putty only shows: Using username "drext...@net.dr.dk". drext...@net.dr.dk@rhel02udv.linux.dr.dk's password: Putty log shows its only using SSPI, secur32.dll for GSSAPI, but fails: Event Log: Using SSPI from SECUR32.DLL Event Log: Attempting GSSAPI authentication Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST) 00 00 00 12 64 72 65 78 74 72 68 61 40 6e 65 74 drextrha@net 0010 2e 64 72 2e 64 6b 00 00 00 0e 73 73 68 2d 63 6f .dr.dkssh-co 0020 6e 6e 65 63 74 69 6f 6e 00 00 00 0f 67 73 73 61 nnectiongssa 0030 70 69 2d 77 69 74 68 2d 6d 69 63 00 00 00 01 00 pi-with-mic. 0040 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 .*.H.. Incoming packet #0x6, type 60 / 0x3c (SSH2_MSG_USERAUTH_GSSAPI_RESPONSE) 00 00 00 0b 06 09 2a 86 48 86 f7 12 01 02 02 ..*.H.. Event Log: GSSAPI authentication initialisation failed Event Log: The target was not recognized. - On Sep 7, 2016, at 9:27 AM, Alexander Bokovoywrote: > On Wed, 07 Sep 2016, Troels Hansen wrote: >> Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust >> and trying to get Putty GSSAPI login to work. In Putty GSSAPI have >> been enabled, and GSSAPI is enabled in sshd. >> Logging in using password from Windows to Linux works, and logging in >> from Linux to Linux using kerberos works. >> AD trust is a follows: >> # ipa trust-find >> >> 2 trusts matched >> >> Realm name: net.dr.dk >> Domain NetBIOS name: NET >> Domain Security Identifier: S-1-5-21-x-- >> Realm name: place.dr.dk >> Domain NetBIOS name: PLACE >> Domain Security Identifier: S-1-5-21-xx-xx-xxx >> Trust type: Active Directory domain >> >> Number of entries returned 2 >> >> # ipa trust-show place.dr.dk >> Realm name: place.dr.dk >> Domain NetBIOS name: PLACE >> Domain Security Identifier: S-1-5-21---x >> Trust direction: Trusting forest >> Trust type: Active Directory domain >> # ipa trust-show net.dr.dk >> Realm name: net.dr.dk >> Domain NetBIOS name: NET >> Domain Security Identifier: S-1-5-21-x--xx >> users are located in net.dr.dk. >>> From looking at the doc's this should just work... However, can't get >>> it to work. Am I missing something? > Make screenshots of PuTTY screens showing what you configured and what > does not work. You can also ask PuTTY to generate logs. > -- > / Alexander Bokovoy -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, Sep 07, 2016 at 10:27:17AM +0300, Alexander Bokovoy wrote: > On Wed, 07 Sep 2016, Troels Hansen wrote: > > Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust > > and trying to get Putty GSSAPI login to work. In Putty GSSAPI have > > been enabled, and GSSAPI is enabled in sshd. > > > > Logging in using password from Windows to Linux works, and logging in > > from Linux to Linux using kerberos works. > > > > AD trust is a follows: > > > > # ipa trust-find > > > > 2 trusts matched > > > > Realm name: net.dr.dk > > Domain NetBIOS name: NET > > Domain Security Identifier: S-1-5-21-x-- > > > > Realm name: place.dr.dk > > Domain NetBIOS name: PLACE > > Domain Security Identifier: S-1-5-21-xx-xx-xxx > > Trust type: Active Directory domain > > > > Number of entries returned 2 > > > > > > # ipa trust-show place.dr.dk > > Realm name: place.dr.dk > > Domain NetBIOS name: PLACE > > Domain Security Identifier: S-1-5-21---x > > Trust direction: Trusting forest > > Trust type: Active Directory domain > > > > # ipa trust-show net.dr.dk > > Realm name: net.dr.dk > > Domain NetBIOS name: NET > > Domain Security Identifier: S-1-5-21-x--xx > > > > users are located in net.dr.dk. > > > > > From looking at the doc's this should just work... However, can't get > > > it to work. Am I missing something? > Make screenshots of PuTTY screens showing what you configured and what > does not work. You can also ask PuTTY to generate logs. Additionally please check the klist output on the Windows client. It should show the host principal of the Linux client (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd logs on the Linux client with a high debug level might also have some hints why GSSAPI authentication failed. HTH bye, Sumit > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust
On Wed, 07 Sep 2016, Troels Hansen wrote: Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust and trying to get Putty GSSAPI login to work. In Putty GSSAPI have been enabled, and GSSAPI is enabled in sshd. Logging in using password from Windows to Linux works, and logging in from Linux to Linux using kerberos works. AD trust is a follows: # ipa trust-find 2 trusts matched Realm name: net.dr.dk Domain NetBIOS name: NET Domain Security Identifier: S-1-5-21-x-- Realm name: place.dr.dk Domain NetBIOS name: PLACE Domain Security Identifier: S-1-5-21-xx-xx-xxx Trust type: Active Directory domain Number of entries returned 2 # ipa trust-show place.dr.dk Realm name: place.dr.dk Domain NetBIOS name: PLACE Domain Security Identifier: S-1-5-21---x Trust direction: Trusting forest Trust type: Active Directory domain # ipa trust-show net.dr.dk Realm name: net.dr.dk Domain NetBIOS name: NET Domain Security Identifier: S-1-5-21-x--xx users are located in net.dr.dk. From looking at the doc's this should just work... However, can't get it to work. Am I missing something? Make screenshots of PuTTY screens showing what you configured and what does not work. You can also ask PuTTY to generate logs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project