Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
Now is working, with the same configuration ... Could it be possibile some delay on the trust if the AD group was a new one? Thanks, Morgan 2015-09-14 11:35 GMT+02:00 Sumit Bose : > On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > > Ok, but now I've an other problem :) > > > > If I disable the default allow_all HBAC rule creating one custom HBAC > rule > > that enable ad_admins to access any host any service, kerberos ticket via > > ssh does not works. > > Username/password authentication with the same custom HBAC rules works. > > > > SSH logs with kerberos authentication: > > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to > > administra...@mydomain.com, krb5 principal administra...@mydomain.com > > (krb5_kuserok) > > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access > > denied for user administra...@mydomain.com: 6 (Permission denied) > > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user > > administra...@mydomain.com by PAM account configuration > > > > SSH logs with username/password authentication: > > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=192.168.0.252 user=administra...@mydomain.com > > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): > authentication > > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= > > administra...@mydomain.com > > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for > > administra...@mydomain.com from 192.168.0.252 port 49590 ssh2 > > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session > > opened for user administra...@mydomain.com by (uid=0) > > > > If I enable allow_all HBAC rule kerberos authentication works. > > Maybe is there something else to configure? > > no, HBAC result should not change depending on the authentication > method. Can you send me the SSSD logs with a high debug level (10) for > both cases? If you prefer you can send them to me directly. > > bye, > Sumit > > > > > Thanks, Morgan > > > > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > > > > > On Mon, 14 Sep 2015, Morgan Marodin wrote: > > > > > >> The Pro edition. > > >> > > >> I've solved my connection problem, I have to specify manually the > > >> username ( > > >> name.surname@ad_domain.com) with Microsoft SSPI. > > >> In this mode is ok, but using Putty "Use system username" do not > works for > > >> me. > > >> > > >> > > >> I don't know why :) > > >> > > > A problem is in the fact that when you use PuTTY's 'use system > > > username', it does only provide unqualified name there, e.g. > > > Administrator, not AD\Administrator or administra...@ad.test. On IPA > > > client side AD users are fully qualified and thus a user you are trying > > > to login to (Administrator) is not the same as the user you are > > > (adminsitra...@ad.test). > > > -- > > > / Alexander Bokovoy > > > > > > > > > > > -- > > Morgan Marodin > > email: mor...@marodin.it > > mobile: +39.3477829069 > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > Ok, but now I've an other problem :) > > If I disable the default allow_all HBAC rule creating one custom HBAC rule > that enable ad_admins to access any host any service, kerberos ticket via > ssh does not works. > Username/password authentication with the same custom HBAC rules works. > > SSH logs with kerberos authentication: > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to > administra...@mydomain.com, krb5 principal administra...@mydomain.com > (krb5_kuserok) > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access > denied for user administra...@mydomain.com: 6 (Permission denied) > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user > administra...@mydomain.com by PAM account configuration > > SSH logs with username/password authentication: > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.0.252 user=administra...@mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= > administra...@mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for > administra...@mydomain.com from 192.168.0.252 port 49590 ssh2 > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session > opened for user administra...@mydomain.com by (uid=0) > > If I enable allow_all HBAC rule kerberos authentication works. > Maybe is there something else to configure? no, HBAC result should not change depending on the authentication method. Can you send me the SSSD logs with a high debug level (10) for both cases? If you prefer you can send them to me directly. bye, Sumit > > Thanks, Morgan > > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > > > On Mon, 14 Sep 2015, Morgan Marodin wrote: > > > >> The Pro edition. > >> > >> I've solved my connection problem, I have to specify manually the > >> username ( > >> name.surname@ad_domain.com) with Microsoft SSPI. > >> In this mode is ok, but using Putty "Use system username" do not works for > >> me. > >> > >> > >> I don't know why :) > >> > > A problem is in the fact that when you use PuTTY's 'use system > > username', it does only provide unqualified name there, e.g. > > Administrator, not AD\Administrator or administra...@ad.test. On IPA > > client side AD users are fully qualified and thus a user you are trying > > to login to (Administrator) is not the same as the user you are > > (adminsitra...@ad.test). > > -- > > / Alexander Bokovoy > > > > > > -- > Morgan Marodin > email: mor...@marodin.it > mobile: +39.3477829069 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
Ok, but now I've an other problem :) If I disable the default allow_all HBAC rule creating one custom HBAC rule that enable ad_admins to access any host any service, kerberos ticket via ssh does not works. Username/password authentication with the same custom HBAC rules works. SSH logs with kerberos authentication: Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to administra...@mydomain.com, krb5 principal administra...@mydomain.com (krb5_kuserok) Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access denied for user administra...@mydomain.com: 6 (Permission denied) Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user administra...@mydomain.com by PAM account configuration SSH logs with username/password authentication: Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=administra...@mydomain.com Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= administra...@mydomain.com Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for administra...@mydomain.com from 192.168.0.252 port 49590 ssh2 Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session opened for user administra...@mydomain.com by (uid=0) If I enable allow_all HBAC rule kerberos authentication works. Maybe is there something else to configure? Thanks, Morgan 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy : > On Mon, 14 Sep 2015, Morgan Marodin wrote: > >> The Pro edition. >> >> I've solved my connection problem, I have to specify manually the >> username ( >> name.surname@ad_domain.com) with Microsoft SSPI. >> In this mode is ok, but using Putty "Use system username" do not works for >> me. >> >> >> I don't know why :) >> > A problem is in the fact that when you use PuTTY's 'use system > username', it does only provide unqualified name there, e.g. > Administrator, not AD\Administrator or administra...@ad.test. On IPA > client side AD users are fully qualified and thus a user you are trying > to login to (Administrator) is not the same as the user you are > (adminsitra...@ad.test). > -- > / Alexander Bokovoy > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
On Mon, 14 Sep 2015, Morgan Marodin wrote: The Pro edition. I've solved my connection problem, I have to specify manually the username ( name.surname@ad_domain.com) with Microsoft SSPI. In this mode is ok, but using Putty "Use system username" do not works for me. I don't know why :) A problem is in the fact that when you use PuTTY's 'use system username', it does only provide unqualified name there, e.g. Administrator, not AD\Administrator or administra...@ad.test. On IPA client side AD users are fully qualified and thus a user you are trying to login to (Administrator) is not the same as the user you are (adminsitra...@ad.test). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote: > The Pro edition. > > I've solved my connection problem, I have to specify manually the username ( > name.surname@ad_domain.com) with Microsoft SSPI. > In this mode is ok, but using Putty "Use system username" do not works for > me. iirc putty strips the domain part '@ad_domain.com' here and only uses 'name.surname' to log into a client. Since by default we require a fully-qualified name which include to domain part to avoid ambiguity the login fails. HTH bye, Sumit > > > I don't know why :) > Bye, Morgan > > 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy : > > > On Fri, 11 Sep 2015, Morgan Marodin wrote: > > > >> Hi everyone. > >> > >> I've seen these guides: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html > >> > >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html > >> > >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ > >> > >> But I've not been able to access via ssh to a freeipa client with kerberos > >> tickets. > >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't > >> works too. > >> > > This is not required. > > > > What Windows 8.1 version you have? Is it a Pro edition (the other > > editions don't join AD)? > > > > The target freeipa client is a RHEL 6.7 like distribution. > >> > >> Naturally trying with AD username (name.surn...@mydomain.com) and > >> password > >> is ok. > >> > >> Do you have any suggestions for this problem? > >> > > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to > > login from Windows client and show the logs around 'userok' in the > > resulting debug output. > > > > -- > > / Alexander Bokovoy > > > > > > -- > Morgan Marodin > email: mor...@marodin.it > mobile: +39.3477829069 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
The Pro edition. I've solved my connection problem, I have to specify manually the username ( name.surname@ad_domain.com) with Microsoft SSPI. In this mode is ok, but using Putty "Use system username" do not works for me. I don't know why :) Bye, Morgan 2015-09-11 22:24 GMT+02:00 Alexander Bokovoy : > On Fri, 11 Sep 2015, Morgan Marodin wrote: > >> Hi everyone. >> >> I've seen these guides: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html >> >> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html >> >> https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ >> >> But I've not been able to access via ssh to a freeipa client with kerberos >> tickets. >> I've also tried to install MIT kerberos to my windows 8.1, but doesn't >> works too. >> > This is not required. > > What Windows 8.1 version you have? Is it a Pro edition (the other > editions don't join AD)? > > The target freeipa client is a RHEL 6.7 like distribution. >> >> Naturally trying with AD username (name.surn...@mydomain.com) and >> password >> is ok. >> >> Do you have any suggestions for this problem? >> > Enable DEBUG3 level logging in sshd_config for SSH server, attempt to > login from Windows client and show the logs around 'userok' in the > resulting debug output. > > -- > / Alexander Bokovoy > -- Morgan Marodin email: mor...@marodin.it mobile: +39.3477829069 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
On Fri, 11 Sep 2015, Morgan Marodin wrote: Hi everyone. I've seen these guides: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ But I've not been able to access via ssh to a freeipa client with kerberos tickets. I've also tried to install MIT kerberos to my windows 8.1, but doesn't works too. This is not required. What Windows 8.1 version you have? Is it a Pro edition (the other editions don't join AD)? The target freeipa client is a RHEL 6.7 like distribution. Naturally trying with AD username (name.surn...@mydomain.com) and password is ok. Do you have any suggestions for this problem? Enable DEBUG3 level logging in sshd_config for SSH server, attempt to login from Windows client and show the logs around 'userok' in the resulting debug output. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets
Hi everyone. I've seen these guides: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ssh.html https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ssh.html https://www.dalemacartney.com/2013/08/30/single-sign-on-sso-with-secure-shell-ssh/ But I've not been able to access via ssh to a freeipa client with kerberos tickets. I've also tried to install MIT kerberos to my windows 8.1, but doesn't works too. The target freeipa client is a RHEL 6.7 like distribution. Naturally trying with AD username (name.surn...@mydomain.com) and password is ok. Do you have any suggestions for this problem? Thanks, bye. Morgan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
