[Freeipa-users] Configuring Client SSH Access Failure
Michael Kang
wxiluo at gmail.com
Sat Jan 23 05:12:37 UTC 2010
DNS is OK.
I run kinit on client.example.com.
Access client.example.com from node.example.com:
> ssh -v admin at client.example.com
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> Credentials cache file '/tmp/krb5cc_0' not found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Credentials cache file '/tmp/krb5cc_0' not found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
>
It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit
on node.example.com, so there is such file. But I can find it on the
client.example.com.
Can node.example.com access client.example.com without any ipa
configuration?
Do I need to install ipa-client on the node.example.com? The document is
wrong?
On Sat, Jan 23, 2010 at 11:54 AM, Scott <scott.kaminski at gmail.com> wrote:
>
> first I would verify that dns is functional both forward and reverse.
>
> If that is okay try doing a kinit first then try to connect.
>
>
> Sent from my iPhone
>
> On Jan 22, 2010, at 7:34 PM, Michael Kang <wxiluo at gmail.com> wrote:
>
> Hi all,
>
> I'm trying to configure client ssh access on Fedora 12 and I can't access
> ipaclient without password.
>
> I'm following this document:
>
> <http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html>
> http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html
>
> At the end of this document:
>
>> The IPA client should now be fully configured to accept incoming SSHconnections and authenticate with the user's
>> Kerberos credentials. Use the following command on another machine to
>> test the configuration. This should succeed without asking for a password.
>>
> # ssh <admin at ipaclient.example.com>admin at ipaclient.example.com
>
> As I see it, another machine don't need to install any ipa software and it
> can access ipaclient without password.
>
> I have three Fedora machine:
>
> - <http://ipa.example.com>ipa.example.com(IPA Server)
> - <http://client.example.com>client.example.com(IPA Client)
> - <http://node.example.com>node.example.com(another machine which was
> not installed ipa-client or ipa-server)
>
> The <http://client.example.com>client.example.com can access
> <http://ipa.example.com>ipa.example.com without password. But the
> <http://node.example.com>node.example.com can't access
> <http://client.example.com>client.example.com.
>
> Do I misunderstand the document or configure incorrect?
>
> Thanks,
> Michael
>
> --
> Michael Kang(康上明学)
> There is a giant asleep within every man. When the giant awakens,miracles
> happen.
>
> Personal blog: <http://ufusion.org>http://ufusion.org - United Fusion
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100123/e2ff1193/attachment.htm>
More information about the Freeipa-users
mailing list