[Freeipa-users] authentication with latest putty fails
Rob Crittenden
rcritten at redhat.com
Fri Jan 4 14:58:29 UTC 2013
Han Boetes wrote:
> I've set up windows with the instructions given over here:
>
> http://freeipa.com/page/Windows_authentication_against_FreeIPA
>
> And all seems to be working fine. After I run klist I see valid tickets:
>
> Microsoft Windows [Version 6.1.7601]
> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>
> C:\Users\fh>klist
>
> Aktuelle Anmelde-ID ist 0:0x153b25
>
> Zwischengespeicherte Tickets: (1)
>
> #0> Client: fh @ REALM
> Server: krbtgt/REALM @ REALM
> KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
> Ticketkennzeichen 0x40e10000 -> forwardable renewable initial
> pre_authen
> t name_canonicalize
> Startzeit: 1/4/2013 14:03:11 (lokal)
> Endzeit: 1/5/2013 14:03:11 (lokal)
> Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
> Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
>
>
> I can do a passwordless login with the latest putty with kerberos
> authentication, I disabled password and key logins. And then on the
> host I checked klist and got this:
>
> [fh at test-server-ipa ~]$ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)
>
> sudo also doesn't work. To test the setup I did the same from linux host
> and login in, sudo, klist etc etc all work fine. So I checked the sshd
> -d output difference and the only difference I see is:
>
> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
> -debug1: Received some client credentials
> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
> +debug1: Got no client credentials
>
> Where .73 is the linux host and .56 is the windows host.
>
> What am I missing here?
The problem isn't that authentication fails, it is that the credentials
aren't forwarded, right?
Does putty support this?
rob
More information about the Freeipa-users
mailing list