[Freeipa-users] authentication with latest putty fails

Han Boetes hboetes at gmail.com
Mon Jan 7 08:56:42 UTC 2013 

There was something going on with a firewall blocking something and that
windows host didn't have a cert yet. But still:

Using Kerberos authentication
Using principal fh at REALM
Got host ticket host/test-server-ipa.domain at REALM
Using username "fh".
Successful Kerberos connection
Last login: Mon Jan  7 07:38:19 2013 from ipa-w7.domain
[fh at test-server-ipa ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1554800011)

klist on the host shows all tickets are forwordable and the forwarding
option in both putty versions is on.

Which version of FreeIPA are you using? There are issues in older
> version which prevents kadmin.local from working.
>

The default stable:

[root at auth-ipa ssl_for_ipa-w7]# rpm -qa |grep ipa-
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64


On Mon, Jan 7, 2013 at 9:38 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote:
> > On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose <sbose at redhat.com> wrote:
> >
> > > About delegating credentials, you might need to set the ok_as_delegate
> > > flag on the host/* service ticket. To do this you can call kadmin.local
> > > on the IPA server and then use
> > >
> > > modprinc +ok_as_delegate host/test-server-ipa.realm at REALM
> > >
> > > to set the flag.
> > >
> >
> > I don't know why this host would have this flag set differently from
> other
>
> Does it mean there are other windows hosts where delegation already
> works as expected? AFAIK the Linux OpenSSH client does not check
> this flag and forwards the credentials depending on the command line
> options, but it looks like putty on Windows checks this flag.
>
> > hosts. And I get this error while trying to set or unset this flag.
> >
> > kadmin.local:  modprinc +ok_as_delegate host/ipa-w7.domain at REALM
> > modify_principal: Kerberos database internal error while modifying
> > "host/ipa-w7.domain at REALM
> >
> > For any other host as well BTW. I can't find anything relevant in the log
> > files.
>
> Which version of FreeIPA are you using? There are issues in older
> version which prevents kadmin.local from working.
>
> bye,
> Sumit
>
> >
> > --
> >
> >
> >
> > # Han
>



-- 



# Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130107/4ac220ef/attachment.htm>

More information about the Freeipa-users mailing list