On Tue, May 16, 2017 at 11:30:25AM +0200, Ronald Wimmer wrote:
On 2017-05-15 21:27, Jakub Hrozek wrote:
[...]
On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:
Hi,
I am confronted with a behaviour for which I do not have an explanation for.
I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried:
- Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home
directory; klist shows no tickets
No tickets at all? Not even an expired ticket?
Unfortunately no tickets.
Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.
Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
HTH
bye, Sumit
Does running klist in cmd.exe show anything?
Yes, it does: -bash-4.2$ klist klist: Credentials cache keyring 'persistent:1073895519:1073895519' not found
And again... If I connect from my linux machine (within the ipa domain), tickets are there:
-bash-4.2$ klist Ticket cache: KEYRING:persistent:1073895519:1073895519 Default principal: myuser@MYWINDOWDOMAIN.AT
Valid starting Expires Service principal 2017-05-16 11:29:04 2017-05-16 15:43:45 nfs/ipanfs.myipadomain.at@MYIPADOMAIN.AT 2017-05-16 11:25:09 2017-05-16 15:43:45 krbtgt/MYWINDOWDOMAIN.AT@MYWINDOWDOMAIN.AT renew until 2017-05-16 15:43:45
From this point on login from windows (AD domain) does - of course - work.
Any ideas how to bring some light into this?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
[...] Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.
Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
Setting the flag solved the problem. Thanks a lot.
Can this flag be set by default for new hosts?
On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
[...] Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.
Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
Setting the flag solved the problem. Thanks a lot.
Can this flag be set by default for new hosts?
As fas as I know IPA does not offer such option. Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 2017-05-29 09:45, Sumit Bose via FreeIPA-users wrote:
On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
[...] Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.
Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
Setting the flag solved the problem. Thanks a lot.
Can this flag be set by default for new hosts?
As fas as I know IPA does not offer such option. Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid.
What other options do I have if I want users connecting from Windows to be able to use automounted home directories?
On Tue, May 30, 2017 at 11:15:02PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-29 09:45, Sumit Bose via FreeIPA-users wrote:
On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
[...] Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.
Please check with 'ipa host-show hostname' if 'Trusted for delegation: True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
Setting the flag solved the problem. Thanks a lot.
Can this flag be set by default for new hosts?
As fas as I know IPA does not offer such option. Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid.
What other options do I have if I want users connecting from Windows to be able to use automounted home directories?
Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after ipa-client-install to the set flag is needed?
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 2017-05-31 10:54, Sumit Bose via FreeIPA-users wrote:
[...] Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after ipa-client-install to the set flag is needed?
You got me wrong. It is sufficient. My answer was referring to "Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid."
On Wed, May 31, 2017 at 11:07:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 2017-05-31 10:54, Sumit Bose via FreeIPA-users wrote:
[...] Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after ipa-client-install to the set flag is needed?
You got me wrong. It is sufficient. My answer was referring to "Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid."
Of course if you need to ticket on the target host, e.g. to automount the home directory, you should enable delegation. But it should be only enabled where needed and not by default. (There might be environments where there are only Linux servers in the IPA domain which all need this but I still think the adding the delegation flag should be a step on its own because over time all kind of systems might be added to the domain).
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org