login about faq

I'm interested in setting up Tectia with gssapi. I found this answer but I think this allows for automatic logins, assuming your already authenticated.

I want users to be prompted to enter their domain credentials regardless.

edit: Here is the client command and the log file

asked Mar 13 '14 at 06:54

Matt's gravatar image

Matt
568913

edited Mar 15 '14 at 05:07


Hi Matt,

GSSAPI allows users which have obtained a valid kerberos ticket to login. You can obtain a kerberos ticket by either:

  • Having already authenticated to a Active Directory using domain credentials

When for example your SSH client is running on Windows and you logged on using domain credentials

  • Running kinit to obtain one

This will prompt users for their domain credentials. It requires that the ssh client host (where you run kinit) is also configured with Kerberos.

link

answered Mar 13 '14 at 11:17

Roman's gravatar image

Roman ♦♦
7735817

I have joined the server (suse) to the domain. I have run kinit and successfully obtained a ticket but when I try to log in I get Permission denied (gssapi-with-mic)

(Mar 13 '14 at 17:10) Matt Matt's gravatar image

Any Suggestions?

(Mar 14 '14 at 02:10) Matt Matt's gravatar image

Hi Matt,

In order to troubleshoot this I would need to see an example of the exact commands you are typing on the client side (you can change IP addresses and hostnames) and logs on the server side (syslog) when getting the error. Could you edit your answer to include this?

(Mar 14 '14 at 11:28) Roman ♦♦ Roman's gravatar image

One important thing when using GSSAPI is that you have to use the fully qualified domain name of the server when logging in. In addition the server must be able to resolve the client's address correctly.

(Mar 14 '14 at 11:29) Roman ♦♦ Roman's gravatar image

Hello, I edited the post. On the suse system I can logon using my domain account. I can successfully run kinit and my credentials work. I can run klist and see my ticket. Trying to ssh using my domain account however instantly fails.

(Mar 15 '14 at 05:14) Matt Matt's gravatar image

The logs don't provide much new information. Is the kerberos configuration correct on the server side? Can you verify that you are able to get a ticket granting ticket from the KDC by running the kinit commands referenced in here?

Also, verify that the keytab file is correctly installed on the server as well by running ktutil list.

(Mar 17 '14 at 08:29) Roman ♦♦ Roman's gravatar image

Hi Roman, I ended up using pam_krb5. Thank you for the help!

(Apr 14 '14 at 23:44) Matt Matt's gravatar image
showing 5 of 7 show all
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×5

Asked: Mar 13 '14 at 06:54

Seen: 4,054 times

Last updated: Apr 14 '14 at 23:44

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.