On Mon, Mar 27, 2023 at 4:02 PM Spike White <[email protected]> wrote:
> Pieter, > > I have Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI -> > credential delegation turned on in putty. > > As well as on the target Linux server, it has [libdefaults] > forwardable = true. The error I get when I ssh in is: > > [admspike_white@austgcore17 ~]$ klist > klist: Credentials cache 'KCM:2025431' not found > [admspike_white@austgcore17 ~]$ > > where 2025431 is my UID. PuTTY uses the Windows Kerberos libraries, which means it obeys their restrictions. One of those restrictions is that credentials may only be delegated to a host whose UserAccountControl attribute (on the host’s AD user account object) has the TRUSTED_FOR_DELEGATION flag set. See: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties If the target host does not have the TRUSTED_FOR_DELEGATION flag set on its UserAccountControl attribute, PuTTY silently refuses to delegate credentials. In contrast, MIT Kerberos (which OpenSSH typically links against) is not AD-aware, so neither ssh nor sshd pay any attention to the target host’s UserAccountControl attribute when deciding to forward (or accept forwarded) credentials. If you can query your AD domain, you can decipher the UserAccountControl attribute of the target host user object. E.g.: Not set (WORKSTATION_TRUST_ACCOUNT only): userAccountControl: 4096 Set (WORKSTATION_TRUST_ACCOUNT + TRUSTED_FOR_DELEGATION): userAccountControl: 528384 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
