Re: [Freeipa-users] AD users not getting single sign on (Solaris)
nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I assume). But when I ssh from the first Solaris machine to the 2nd I am prompted for a password instead of being automatically signed in. The strange thing is that it doesn't matter which machine I login to first, it's only the 2nd hop that asks for a password. Below are my console recording. ipaclient1 is Linux, ipaclient5 and ipaclient6 are Solaris. Login from Linux - Solaris 1 works without password Login from Linux - Solaris 2 works without password Login from Solaris 1 - Solaris 2 prompts Login from Solaris 2 - Solaris 1 prompts. Any ideas? You log into Linux and get a TGT . Using that TGT you can log into any other box (Solaris or otherwise). Unless you are delegating that TGT with each ssh login you won't have one after the first login to another system, it will be used for authentication only. See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd. rob Oh I see. Thank you, adding the Delegation line in my /etc/ssh/ssh_config fixed that. Two more questions: I seem to have to add the Delegation line in my Linux clients too. Dimitri's earlier answer seemed to indicate that the feature was automatic with the sssd but I still have to do -K or add the line to the config for it to work. Was he mistaken or was I interpreting his answer wrong? Second Question if you know... Does Solaris support host key identification the same way Linux does? I noticed that my Solaris hosts do not get SSHFP entries so I assume I could possible manually add the host keys and SSHFP entries for it, but there is not ssh_knownwhosts proxy on Solaris is there? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not getting single sign on (Solaris)
On 03/20/2015 05:23 PM, nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I assume). But when I ssh from the first Solaris machine to the 2nd I am prompted for a password instead of being automatically signed in. The strange thing is that it doesn't matter which machine I login to first, it's only the 2nd hop that asks for a password. Below are my console recording. ipaclient1 is Linux, ipaclient5 and ipaclient6 are Solaris. Login from Linux - Solaris 1 works without password Login from Linux - Solaris 2 works without password Login from Solaris 1 - Solaris 2 prompts Login from Solaris 2 - Solaris 1 prompts. Any ideas? You log into Linux and get a TGT . Using that TGT you can log into any other box (Solaris or otherwise). Unless you are delegating that TGT with each ssh login you won't have one after the first login to another system, it will be used for authentication only. See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd. rob Oh I see. Thank you, adding the Delegation line in my /etc/ssh/ssh_config fixed that. Two more questions: I seem to have to add the Delegation line in my Linux clients too. Dimitri's earlier answer seemed to indicate that the feature was automatic with the sssd but I still have to do -K or add the line to the config for it to work. Was he mistaken or was I interpreting his answer wrong? What I meant to say is that SSSD does kerberos by default. It does not delegate by default. So you can hop once. On Solaris you can't hop at all because there is no Kerberos, the auth is done using LDAP. Second Question if you know... Does Solaris support host key identification the same way Linux does? I noticed that my Solaris hosts do not get SSHFP entries so I assume I could possible manually add the host keys and SSHFP entries for it, but there is not ssh_knownwhosts proxy on Solaris is there? I do not know. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not getting single sign on (Solaris)
On 03/19/2015 07:55 PM, nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I assume). But when I ssh from the first Solaris machine to the 2nd I am prompted for a password instead of being automatically signed in. The strange thing is that it doesn't matter which machine I login to first, it's only the 2nd hop that asks for a password. Below are my console recording. ipaclient1 is Linux, ipaclient5 and ipaclient6 are Solaris. Login from Linux - Solaris 1 works without password Login from Linux - Solaris 2 works without password Login from Solaris 1 - Solaris 2 prompts Login from Solaris 2 - Solaris 1 prompts. Assuming that you have: IPA and AD in trust and Solaris boxes are configured against the IPA compat tree then it would be the expected behavior. SSO is possible only with Kerberos. You authentication on Linux is against AD (through trust) so you get a Kerberos ticket. If you issued keytabs for your Solaris systems and configured SSH to use GSSAPI then SSH would provide SSO as you describe from Linux to Solaris. But once you login into Solaris box you do not have a Kerberos ticket because it is an LDAP authentication. You would ask what can be done about it? Not much. To have SSO you would need to have one of the latest Kerberos versions and something like SSSD on Solaris. It does not exist and Oracle is not eager to create one. Bottom line... move to Linux :-) Any ideas? snip login as: nathan.peters nathan.peters@10.21.19.12's password: Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57 [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1 Default principal: nathan.pet...@datacenter.mydomain.net Valid starting ExpiresService principal 03/19/15 16:44:27 03/20/15 02:44:16 krbtgt/datacenter.mydomain@datacenter.mydomain.net renew until 03/20/15 16:44:27 [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ ssh ipaclient5-sandbox-atdev-van Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12 Oracle Corporation SunOS 5.10 Generic Patch January 2005 [11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist Ticket cache: FILE:/tmp/krb5cc_1539201103 Default principal: nathan.pet...@datacenter.mydomain.net Valid startingExpiresService principal 03/19/15 23:40:06 03/20/15 09:39:23 krbtgt/datacenter.mydomain@datacenter.mydomain.net renew until 03/26/15 23:40:06 [11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van Password: Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand Oracle Corporation SunOS 5.10 Generic Patch January 2005 -bash-3.00$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_1539201103) -bash-3.00$ exit logout Connection to ipaclient6-sandbox-atdev-van closed. [11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit logout Connection to ipaclient5-sandbox-atdev-van closed. [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ ssh ipaclient6-sandbox-atdev-van Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand Oracle Corporation SunOS 5.10 Generic Patch January 2005 -bash-3.00$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_1539201103) -bash-3.00$ ssh ipaclient5-sandbox-atdev-van The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)' can't be established. RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16' (RSA) to the list of known hosts. Password: Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12 Oracle Corporation SunOS 5.10 Generic Patch January 2005 [11:49 PM] ipaclient5-sandbox-atdev-van:~$ -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not getting single sign on (Solaris)
nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I assume). But when I ssh from the first Solaris machine to the 2nd I am prompted for a password instead of being automatically signed in. The strange thing is that it doesn't matter which machine I login to first, it's only the 2nd hop that asks for a password. Below are my console recording. ipaclient1 is Linux, ipaclient5 and ipaclient6 are Solaris. Login from Linux - Solaris 1 works without password Login from Linux - Solaris 2 works without password Login from Solaris 1 - Solaris 2 prompts Login from Solaris 2 - Solaris 1 prompts. Any ideas? You log into Linux and get a TGT . Using that TGT you can log into any other box (Solaris or otherwise). Unless you are delegating that TGT with each ssh login you won't have one after the first login to another system, it will be used for authentication only. See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project