putty/winscp with gssapi/krb5 ticket forwarding
Lars Schimmer
l.schimmer at cgv.tugraz.at
Fri Jan 26 04:55:14 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Irvine at home wrote:
> Hi Lars,
>
> Lars Schimmer wrote:
> Hi!
>
> After some testing I got a few test PCs with debians "etch" system do
> ticket forwarding and obtaining afs tokens.
> Now I want to use putty and winscp from windows to login without a
> password on that machines.
>
>> See this link:
>
>> http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html
Thanks for the link.
Maybe I don´t get it right on my thoughts.
Setup here:
AD with 1 server and x clients
krb5 server on debian on extra machine
on each client MIT krb5 and OpenAFS 1.4.x on debian, 1.5.12 on windows
on windows clients: krb5 config with the krb5 server entry and "obtain
tokens for OpenAFS while login enabled"
til yet no special entries for krb5 in AD.
I assume the user on windows obtain a token and a valid ticket from the
linux krb5 server while logging in (else the token wouldn´t be valid)
So a valid ticket for user is available in the cache.
In https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian I´ve
read to create a host/... at CGV... entry in my database for every PC and
extract that to a krb5.keytab (ank host/.. at CGV.. - ktadd -k krb5.keytab
host/.... at CGV... for every PC). That keytab I copied to /etc/krb5.keytab
on every PC and it works on debian.
Now I thought that was the way it should work on windows. But it seems,
I was wrong.
So I need to create special user entries in the AD database. One entry
for all machines or one entry per linux pc?
Do I really have to crete them in the AD as my krb5 doesn´t interact
with the AD?
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFudACmWhuE0qbFyMRAt78AJ9GvQOcWVGAmhjZA/Ce0gyrZAn9bgCbBtdW
6h5W05khsYM8MT3XARMiiMM=
=/HQv
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list