Active Directory LDAP SSH
Christopher D. Clausen
cclausen at acm.org
Tue Sep 4 14:26:25 EDT 2007
Michael B Allen <ioplex at gmail.com> wrote:
> On 9/4/07, Roman S <kleinerroemer at hotmail.com> wrote:
>> I've configured a Microsoft Active Directory with LDAP and Kerberos,
>> and some Linux (Redhat) clients who authenticate to it.
>> I'm able to get some tickets for the users who are in the Active
>> Directory, but SSH behaves a bit strange.
>>
>> I can always ssh to the same machine again.
>> Like
>> #foo: ssh foo
>>
>> but I can't ssh to any other computers. I always get a Permission
>> denied.
>> I've only enabled gssapi authentication, all others are disabled.
>> Debug output of ssh didn't get me any further.
>
> Hi Roman,
>
> Did you create the host principal and keytab for the target server?
I suspect yes or the inital credential forwarding would not work either.
> Also, you'll need a .k5login file in the home directory of the target:
>
> $ cat ~/.k5login
> alice at EXAMPLE.COM
You do not NEED a .k5login file. It may be useful in certain
environments, but it is not required.
> Google for info about the above and you should find a tutorial I
> would think.
You probably need to:
1) ensure that forwardable tickets are being obtained (I suspect this is
already the case)
2) set GSSAPIDelegateCredentials yes for ssh and/or sshd
<<CDC
More information about the Kerberos
mailing list