[Freeipa-users] ssh login from windows AD trust host not working
Natxo Asenjo
natxo.asenjo at gmail.com
Fri Apr 19 14:35:06 UTC 2013
hi,
after succesfully configuring the trust between 2 different domains
(IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows
host to the linux host using the trusted kerberos tickets.
This is my krb.conf in the linux host:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.ASENJO.NX
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
IPA.ASENJO.NX = {
kdc = kdc.ipa.asenjo.nx:88
admin_server = kdc.ipa.asenjo.nx:749
default_domain = ipa.asenjo.nx
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@
$0](^.*@AD.ASENJO.NX$)s/@AD.ASENJO.NX/@ad.asenjo.nx/
auth_to_local = DEFAULT
}
[domain_realm]
.ipa.asenjo.nx = IPA.ASENJO.NX
ipa.asenjo.nx = IPA.ASENJO.NX
[dbmodules]
# IPA.ASENJO.NX = {
# db_library = kldap
# ldap_servers = ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket
# ldap_kerberos_container_dn = cn=kerberos,dc=ipa,dc=asenjo,dc=nx
# ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx
# ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx
# ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
# }
IPA.ASENJO.NX = {
db_library = ipadb.so
}
and in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, ssh, pac
domains = ipa.asenjo.nx
[nss]
[pam]
[domain/ipa.asenjo.nx]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.asenjo.nx
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kdc.ipa.asenjo.nx
chpass_provider = ipa
ipa_server = kdc.ipa.asenjo.nx
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
I restarted the server after this change
Then I created an external group like explained here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html
And tried logging in using ssh with putty from the windows hosts (using the
login Administrator at ad.asenjo.nx, with gss-api credentials delegation).
Unfortunately it keeps asking me for a password for the user
Administrator at ad.asenjo.nx@kdc.ipa.asenjo.nx, so it is adding the name of
of the linux host to the login name.
Any help greatly appreciated.
--
groet,
natxo
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130419/2634e8b2/attachment.htm>
More information about the Freeipa-users
mailing list