| manyrootsofallevil |
02-26-2012 10:00 AM |
SSH SSO in Windows 2008 not working
I have followed my own tutorial to join a CentOS 6.2 box to a Windows 2008 AD domain.
In addition, I have used ktpass to generate a keytab file and have copied it to the Linux boxes that have joined the domain.
Code:
ktpass -princ HOST/adtest.my.org@MY.ORG -mapuser MY\adtest$ -pass Passw0rd123 -ptype KRB5_NT_PRINCIPAL -crypto All -out adtest.keytab
I can log on to the Linux boxes without any problems using domain accounts (as long as they have unix settings set up) but what I cannot do is single sign on using SSH to another Linux box in this domain.
klist output after I've logged on to adtest
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG
Valid starting Expires Service principal
02/26/12 15:25:09 02/27/12 01:23:33 krbtgt/MY.ORG@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
If I log in to the other linux box in the domain:
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG
Valid starting Expires Service principal
02/26/12 15:25:09 02/27/12 01:23:33 krbtgt/MY.ORG@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23 02/27/12 01:23:33 host/adtest2@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
and if I log on again to adtest from adtest:
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_NrPg3K
Default principal: testuser@MY.ORG
Valid starting Expires Service principal
02/26/12 15:25:09 02/27/12 01:23:33 krbtgt/MY.ORG@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
02/26/12 15:26:23 02/27/12 01:23:33 host/adtest2@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
02/26/12 15:28:24 02/27/12 01:23:33 host/adtest.my.org@MY.ORG
renew until 02/27/12 01:25:09, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
I don't understand why the tickets are issued with arcfour encryption and I also don't understand why there is a difference between the ticket for adtest and adtest2.
Same test from adtest2
Code:
Ticket cache: FILE:/tmp/krb5cc_10000_UJ2BQP
Default principal: testuser@MY.ORG
Valid starting Expires Service principal
02/26/12 15:33:11 02/27/12 01:32:24 krbtgt/MY.ORG@MY.ORG
renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, AES-256 CTS mode with 96-bit SHA-1 HMAC
02/26/12 15:37:29 02/27/12 01:32:24 host/adtest2@
renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:29 02/27/12 01:32:24 host/adtest2@MY.ORG
renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
02/26/12 15:37:41 02/27/12 01:32:24 host/adtest.my.org@MY.ORG
renew until 02/27/12 01:33:11, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
I have added this line to ssh_config on both servers
Code:
Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
SELinux is set to permissive on both servers
Any ideas?
TIA
edit:
I just realized that adtest is Centos6.2 and adtest2 is RHEL6.0, which means that the kerberos libraries are slightly different 1.9-22 vs 1.8.2-3, respectively, don't think it should make much of a difference, but may it does
edit2:
I just cloned the Centos 6.2 VM called adtest3 and tried again, same result. :( |
