Pieter, I was playing around with this also. I was setting TRUSTED_FOR_DELEGATION on the machine account as well. And it was accomplishing nothing.
I'm guessing it's the user's account that needs to have TRUSTED_FOR_DELEGATION. Not the machine account. So when you start putty, you start it under a particular account. (I have to do a 'RunAs' to start putty under the desired account). I think putty is looking at the userAccountControl attribute of this user account. To decide whether to delegate credentials. (Also, the putty config setting "allow delegate credentials" has to be set). My user account has userAccountControl == NORMAL_ACCOUNT. Spike On Tue, Mar 28, 2023 at 6:34 AM Pieter Voet <[email protected]> wrote: > Hi James, thanks a lot for your interesting reply.. > > in order to investigate this issue, I've set up an Windows Server 2012 > evaluation copy on my Linux laptop as an VM using QEMU. > With that, I also added two more VM's : a Windows 10 client and a Linux > Fedora 37 server with sssd configured and both VMs joined to the Active > Directory domain. > > I now can login to the Windows 10 VM using my AD account and password. > Next I use Putty ( with 'Allow GSSAPI Credential Delegation' enabled ) to > get to the Linux server, and I get logged in without specifying a password, > because sshd is configured to allow GSSAPIAuthentication and detected a > valid Kerberos ticket. > And then : yesss ! 'klist' showed that I have a valid Kerberos ticket > ! > > While reading your post, I looked at the Linux machine object using > Adsiedit.msc... > > this is the userAccountControl for that server : 0x11000 = ( > WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWORD) > > umm.. the TRUSTED_FOR_DELEGATION flag is not set, but still , Putty login > gives me a TGT. > This does not match your explanation.. Am I doing something not right ? > > Thanks ! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
