Ok, but now I've an other problem :) If I disable the default allow_all HBAC rule creating one custom HBAC rule that enable ad_admins to access any host any service, kerberos ticket via ssh does not works. Username/password authentication with the same custom HBAC rules works.
SSH logs with kerberos authentication: Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to [email protected], krb5 principal [email protected] (krb5_kuserok) Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access denied for user [email protected]: 6 (Permission denied) Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user [email protected] by PAM account configuration SSH logs with username/password authentication: Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 [email protected] Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= [email protected] Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for [email protected] from 192.168.0.252 port 49590 ssh2 Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session opened for user [email protected] by (uid=0) If I enable allow_all HBAC rule kerberos authentication works. Maybe is there something else to configure? Thanks, Morgan 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <[email protected]>: > On Mon, 14 Sep 2015, Morgan Marodin wrote: > >> The Pro edition. >> >> I've solved my connection problem, I have to specify manually the >> username ( >> name.surname@ad_domain.com) with Microsoft SSPI. >> In this mode is ok, but using Putty "Use system username" do not works for >> me. >> >> >> I don't know why :) >> > A problem is in the fact that when you use PuTTY's 'use system > username', it does only provide unqualified name there, e.g. > Administrator, not AD\Administrator or [email protected]. On IPA > client side AD users are fully qualified and thus a user you are trying > to login to (Administrator) is not the same as the user you are > ([email protected]). > -- > / Alexander Bokovoy > -- Morgan Marodin email: [email protected] mobile: +39.3477829069
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
