Pieter, We use GSSAPI instead of GSS-SPNEGO for ssh SSO, but it should work the same. This does not really involve sssd at all (for the authentication). What happens is that your ssh daemon is Kerberos-aware. So when it is presented with a Kerberos ticket, the ssh daemon contacts the Kerberos server (AD DC in our case) to verify the ticket. If authenticated, it allows login. That is, it bypasses PAM for the 'authentication' phase. It still consults PAM stack for the 'account' and 'session' phases however,
Because the sshd service in this situation does not call PAM stack for the authentication phase, it does not consult pam_sss during the authentication phase. For your account phase and session phase, it will consult pam_sss, but that doesn't involve kerberos. I am looking at my (Windows) putty to (Linux) ssh login. Yes, it SSO's to Linux just fine. But once on the Linux server, I see I don't have a Kerberos ticket. I've never noticed that before, as we essentially never ssh SSO linux to linux, Always run 'new session' off the existing putty session to pop to a new Linux server. Years ago, I know we used to have a Kerberos ticket when we SSH SSO'd in, so then we could SSO Linux to Linux. Don't know when that disappeared. Spike On Sun, Mar 26, 2023 at 3:41 PM Pieter Voet <[email protected]> wrote: > OK.. too stupid ! I forgot to clear the credentials using 'kdestroy -A' > before retrying with Putty.. > > so, the original problem is still there... I don't get a Kerberos ticket > if logging on to Linux from Windows using Putty. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
