[Freeipa-users] AD users not getting single sign on (Solaris)
Rob Crittenden
rcritten at redhat.com
Fri Mar 20 02:44:42 UTC 2015
nathan at nathanpeters.com wrote:
> I have finally gotten all of my Solaris servers to accept AD users but the
> behavior is inconsistent.
>
> In my FreeIPA domain, I can login to a Linux server and then ssh to the
> Solaris server and I am automatically logged in because of my Kerberos
> ticket (I assume).
>
> But when I ssh from the first Solaris machine to the 2nd I am prompted for
> a password instead of being automatically signed in. The strange thing is
> that it doesn't matter which machine I login to first, it's only the 2nd
> hop that asks for a password.
>
> Below are my console recording. ipaclient1 is Linux, ipaclient5 and
> ipaclient6 are Solaris.
> Login from Linux -> Solaris 1 works without password
> Login from Linux -> Solaris 2 works without password
> Login from Solaris 1 -> Solaris 2 prompts
> Login from Solaris 2 -> Solaris 1 prompts.
>
> Any ideas?
You log into Linux and get a TGT . Using that TGT you can log into any
other box (Solaris or otherwise). Unless you are delegating that TGT
with each ssh login you won't have one after the first login to another
system, it will be used for authentication only.
See the -K option of ssh, or SSAPIDelegateCredentials yes in sshd.
rob
More information about the Freeipa-users
mailing list