Pieter, Never mind. I am wrong. restarted sssd and waited for AD replication. Setting TRUSTED_FOR_DELEGATION on the machine account is sufficient.
I now get a Kerberos cred when I SSH SSO (via Putty) onto Linux server. Spike On Tue, Mar 28, 2023 at 3:06 PM Spike White <[email protected]> wrote: > Pieter, > > I was playing around with this also. I was setting > TRUSTED_FOR_DELEGATION on the machine account as well. And it was > accomplishing nothing. > > I'm guessing it's the user's account that needs to have > TRUSTED_FOR_DELEGATION. Not the machine account. > > So when you start putty, you start it under a particular account. (I have > to do a 'RunAs' to start putty under the desired account). I think putty > is looking at the userAccountControl attribute of this user account. To > decide whether to delegate credentials. (Also, the putty config setting > "allow delegate credentials" has to be set). > > My user account has userAccountControl == NORMAL_ACCOUNT. > > Spike > > On Tue, Mar 28, 2023 at 6:34 AM Pieter Voet <[email protected]> wrote: > >> Hi James, thanks a lot for your interesting reply.. >> >> in order to investigate this issue, I've set up an Windows Server 2012 >> evaluation copy on my Linux laptop as an VM using QEMU. >> With that, I also added two more VM's : a Windows 10 client and a Linux >> Fedora 37 server with sssd configured and both VMs joined to the Active >> Directory domain. >> >> I now can login to the Windows 10 VM using my AD account and password. >> Next I use Putty ( with 'Allow GSSAPI Credential Delegation' enabled ) >> to get to the Linux server, and I get logged in without specifying a >> password, because sshd is configured to allow GSSAPIAuthentication and >> detected a valid Kerberos ticket. >> And then : yesss ! 'klist' showed that I have a valid Kerberos >> ticket ! >> >> While reading your post, I looked at the Linux machine object using >> Adsiedit.msc... >> >> this is the userAccountControl for that server : 0x11000 = ( >> WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWORD) >> >> umm.. the TRUSTED_FOR_DELEGATION flag is not set, but still , Putty >> login gives me a TGT. >> This does not match your explanation.. Am I doing something not right ? >> >> Thanks ! >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
