For this to work, yes you need to setup AD Trust, and for HBAC to access the Linux systems, you need ID View user overrides.
Once you have verified basic password or ssh key login (set key in user override!) works, GSSAPI should be an easy next step.
Keep in mind that if you were to kinit on a linux node to an AD domain, you need to be able to talk kerberos to the AD systems, if they are firewall off, it doesn’t work.
John
On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote:On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote:
On 23/05/2019 14:56, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
hi guys,
reading official guide one may assume - I do - that "Using SSH Without
Passwords" should work out-of-box (centos 7.6) - is such assumption valid?
For me this does not work - ssh still asks for passwords.
If this is due to some failure/problem, then where to look and how to
troubleshoot?
It's hard to know what you're doing, ssh from where to where, using what?
rob
I made an assumption - which I see now was invalid - that some experts
may know mentioned guide by heart and if I quoted something then the
rest will be obvious - wrong, sorry.
"Using SSH Without Passwords" is a paragraph of "Using SSH from Active
Directory Machines for IdM Resources" which is about Kerberos I understand.
My hope was to have AD's clients be able to ssh(and maybe get to other
things like Samba) without password and with Kerberos.
I see IPA's users can do that between IPA's servers
...
debug1: PAM: initializing for "tester1"
debug1: PAM: setting PAM_RHOST to "ceb-ipa2.private"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user tester1 service ssh-connection method
gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
Postponed gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
[preauth]
debug1: Got no client credentials
debug1: ssh_gssapi_k5login_exists: Checking existence of file
/home/tester1/.k5login
Authorized to tester1, krb5 principal tester1@private
(ssh_gssapi_krb5_cmdok)
debug1: do_pam_account: called
Accepted gssapi-with-mic for tester1 from 10.5.5.66 port 43604 ssh2
...
But a Win10Pro which is AD member which I'm trying, when ssh as AD's
user then I do not see above in the logs and such ssh(Win10 own feature)
is asked for password.
To sum up: AD's users off/from Win AD win-stations to IPA's
members/clients with Kerberos if possible. (trust is already established
and running)
Hi,
having a trust is the first requirement. Second is a ssh client on the
Windows side which can do GSSAPI authentication (recent version of putty
can) and has GSSAPI authentication enabled (iirc this is not the default
for putty, so you have to switch it on manually). Next is that you have
to use the fully-qualified DNS name of the IPA client you want to login
to. If all this is set and authentication still falls back to ask for a
password plase check with the klist command on the Windows client in
command.exe or the Powershell if you already got a service ticket for
the IPA client. If this is missing please check if there is a
cross-realm ticket, it has a principal starting with 'krbtgt/' followed
by the IPA realm, an '@' sign and the AD realm. If this is missing as
well the issue is on the AD side and the client either does not try
GSSAPI at all or it does not get a cross-realm ticket from the local DC.
HTH
bye,
Sumit
I do not see tickets to IPA's domain - when I'm logged into a Win10Pro(a member of win2016 AD domain).klist only shows two tickets krbtgt & LDAP @AD domain, and nowhere
there I see a mention of IPA domain.That is after a one-way trust was established from IPA's side,successfully. DNS seems to work, users seem to work.My setup IPA is subdomain of AD.Win10Pro is 1903 with openssh-client installed as/from optional feature.I think it does support gssapi.After a trust is established - do we need to create groups & mappingsfor AD users for ssh/samba to work? Guide docs I saw I understand thenthese are only required when one needs HBAC, correct?How to start troubleshooting?many thanks, L.many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
93059F241EEEE1D0769A85F455918ABF21224EBA
uid lejeczek <peljasz@yahoo.co.uk>
sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
<pEpkey.asc>_______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.htmlList Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org