[Freeipa-users] authentication with latest putty fails

Han Boetes hboetes at gmail.com
Fri Jan 4 15:14:36 UTC 2013 

You are absolutely right; the credentials aren't forwarded.

I have enabled the option "allow gssapi credential delegation". So one
would expect that it should work.

I just installed the mit kerberos tools and I can see all the options and
forwarding tickets is allowed according to the interface. Also putty is now
using the mit kerberos dll; gssapi32.dll and still I get the same results.

So the proper question is: how do I get putty to really forward the
credentials?


On Fri, Jan 4, 2013 at 3:58 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Han Boetes wrote:
>
>> I've set up windows with the instructions given over here:
>>
>> http://freeipa.com/page/**Windows_authentication_**against_FreeIPA<http://freeipa.com/page/Windows_authentication_against_FreeIPA>
>>
>> And all seems to be working fine. After I run klist I see valid tickets:
>>
>> Microsoft Windows [Version 6.1.7601]
>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>
>> C:\Users\fh>klist
>>
>> Aktuelle Anmelde-ID ist 0:0x153b25
>>
>> Zwischengespeicherte Tickets: (1)
>>
>> #0>     Client: fh @ REALM
>>          Server: krbtgt/REALM @ REALM
>>          KerbTicket (Verschlüsselungstyp): AES-256-CTS-HMAC-SHA1-96
>>          Ticketkennzeichen 0x40e10000 -> forwardable renewable initial
>> pre_authen
>> t name_canonicalize
>>          Startzeit: 1/4/2013 14:03:11 (lokal)
>>          Endzeit:   1/5/2013 14:03:11 (lokal)
>>          Erneuerungszeit: 1/11/2013 14:03:11 (lokal)
>>          Sitzungsschlüsseltyp: AES-256-CTS-HMAC-SHA1-96
>>
>>
>> I can do a passwordless login with the latest putty with kerberos
>> authentication,  I disabled password and key logins. And then on the
>> host I checked klist and got this:
>>
>> [fh at test-server-ipa ~]$ klist
>> klist: No credentials cache found (ticket cache
>> FILE:/tmp/krb5cc_1554800011)
>>
>> sudo also doesn't work. To test the setup I did the same from linux host
>> and login in, sudo, klist etc etc all work fine. So I checked the sshd
>> -d output difference and the only difference I see is:
>>
>> -Postponed gssapi-with-mic for fh from 192.168.2.73 port 50334 ssh2
>> -debug1: Received some client credentials
>> +Postponed gssapi-with-mic for fh from 192.168.2.56 port 49168 ssh2
>> +debug1: Got no client credentials
>>
>> Where .73 is the linux host and .56 is the windows host.
>>
>> What am I missing here?
>>
>
> The problem isn't that authentication fails, it is that the credentials
> aren't forwarded, right?
>
> Does putty support this?
>
> rob
>
>


-- 



# Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130104/cc96f0ee/attachment.htm>

More information about the Freeipa-users mailing list