| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-14-2011, 06:59 AM
|
#1
|
|
Member
Registered: Oct 2006
Posts: 302
Rep: 
|
windows linux sso ssh
Hallo:
I'm trying to do a ssh connection (using Quest Putty) from Windows to Linux.
As linux are joined to Active Directory, is possible to do a SSO (using kerberos).
If I connect from linux to linux using ssh, it works fine.
If I connect form Windows (Win7) to Linux using Quest Putty or Centrify Putty, an error is displayed:
Code:
C:\Program Files\Centrify\Centrify PuTTY>Plink.exe -A -K -v serverl001.jed
Looking up host "serverl001.buss.red"
Connecting to 10.16.44.234 port 22
Server version: SSH-2.0-OpenSSH_5.4
We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/serverl001.buss.red
gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEED
90312
Using principal User1@BUSS.RED
Got host ticket host/serverl001.buss.red@BUSS.RED
Using principal User1@BUSS.RED
Got host ticket host/serverl001.buss.red@BUSS.RED
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 73:c5:08:56:45:b5:25:54:d7:9e:3a:41:1b:1c:61:1e
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the connection.
Store key in cache? (y/n) y
Host key fingerprint is:
ssh-rsa 1024 73:c5:08:28:c5:c7:23:54:d7:9e:3a:23:1b:1c:61:1e
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as User1@BUSS.RED
Userauth request for gssapi-with-mic
GSSAPI authentication rejected
Kerberos authentication failed. Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD
Using keyboard-interactive authentication.
Password:
Can any tell me a program for SSO from Windows to Linux Centos 5.5
Thanks |
|
|
|
|
04-14-2011, 06:29 PM
|
#2
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Did you check the list of possible causes/fixes ?
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD
|
|
|
|
|
04-15-2011, 05:46 AM
|
#3
|
|
Member
Registered: Oct 2006
Posts: 302
Original Poster
Rep:
|
Yes, I've tried that.
As I say, I've added different CentOS 5.5 to Active Directory.
And I can do a SSO from Linux to Linux using that user. The problem is when I try to connect from Windows. Tried with Centrify and Quest Putty.
I've tried from Window2003SR2, Quest Putty and AD Win2003SR2 and it works fine.
If I try with Windows7, Quest Putty and AD Win2003SR1 a GSSAPI error is received.
Trying the same with Centrify Putty I see:
Code:
C:\Program Files\Centrify\Centrify PuTTY>plink -v -K server1.company.com
Looking up host "server1.company.com"
Connecting to 10.16.137.224 port 22
Server version: SSH-2.0-OpenSSH_4.3
We claim version: SSH-2.0-PuTTY_Release_0.60_(Centrify_GSS_1.4)
Using Kerberos authentication
Trying default credentials
Connecting Kerberos service host/server1.company.com
gss_init_sec_context: InitializeSecurityContext returns SEC_I_CONTINUE_NEEDED:0x90312
Using principal user1@COMPANY.COM
Got host ticket host/server1.company.com@COMPANY.COM
Using principal user1@COMPANY.COM
Got host ticket host/server1.company.com@COMPANY.COM
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-1
Host key fingerprint is:
ssh-rsa 2048 41:a1:72:32:43:55:22:c9:00:33:95:47:02:ea:59:00
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
login as user1@COMPANY.COM
Userauth request for gssapi-with-mic
GSSAPI authentication rejected
Kerberos authentication failed. Please check
1) Unix login name is correct
2) Target service principal name is correct
3) Kerberos authentication is enabled in SSH server
4) Clock in the host is syncrhonized with the clock in AD
user1@COMPANY.COM@server1.company.com's password:
Any other help? Or any chat/forum to ask?
Thanks
Last edited by Felipe; 04-15-2011 at 05:48 AM.
|
|
|
|
|
04-16-2011, 07:11 AM
|
#4
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Quote:
|
user1@COMPANY.COM@server1.company.com
|
...is this normal ? |
|
|
|
|
04-17-2011, 09:35 PM
|
#6
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Which version of AD did you want to use ? ... 2003 and 2003R2 have different schemas and you need to install different products (SFU for 2003 and IDMU for 2003R2) to enable *nix logons.
|
|
|
|
|
04-18-2011, 04:54 AM
|
#7
|
|
Member
Registered: Oct 2006
Posts: 302
Original Poster
Rep:
|
Version:
- Domain Controllers: Windows 20003.
- Schemas: Windows 2003 R2 (Schemas where updated from Win2003, but not the software/domain controllers.
What do I have to install/configure?
Thanks
|
|
|
|
|
04-18-2011, 07:12 AM
|
#8
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
I'm not sure .. was there a specific reason you didn't update the OS as well ?
|
|
|
|
|
04-18-2011, 07:54 AM
|
#9
|
|
Member
Registered: Oct 2006
Posts: 302
Original Poster
Rep:
|
Active Directory is work of another department.
I can use, but not modify/configure it.
Any other suggestion?
Thanks
Last edited by Felipe; 04-18-2011 at 02:43 PM.
|
|
|
|
|
04-20-2011, 04:48 AM
|
#10
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Ask them to install IDMU and see if it works
|
|
|
|
|
04-20-2011, 07:31 AM
|
#11
|
|
Member
Registered: Oct 2006
Posts: 302
Original Poster
Rep:
|
No possible to install IDMU in Active Directory (ADS department is not going to do that).
I'll have to wait for a migration of Active Directory to ADS 2008, but it cant take months (or years).
Any other suggestion is welcome.
Thanks
|
|
|
|
|
04-21-2011, 06:42 AM
|
#12
|
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Sorry, I'm all out, good luck
|
|
|
|
All times are GMT -5. The time now is 06:01 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
