Discussion:
[Freeipa-users] Active directory trust and SSH
Jim Richard
2016-09-06 05:02:34 UTC
Permalink
So I have two-way trust setup and it seems to work.

And as described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html

SSSD allows user names in the format ***@AD.DOMAIN, ad.domain\user and AD\user

That works just as described.

I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the second being the Active Directory domain.

My desire is to have AD be the source for all user/authentication - the AD users will use their creds to ssh in to all of the Centos hosts in the idm.placeiq.net domain.

The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.

How can I make it so a user does not have to:

ssh 'IDM-AD\Administrator’@hostname or ssh ***@idm-***@hostname

Instead when I say ***@hostname it auto-magically knows I mean "ssh ***@idm-***@10.1.41.202

I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step.

[libdefaults]
#default_realm = IDM.PLACEIQ.NET
default_realm = IDM-AD.PLACEIQ.NET


I think my clients use the localauth plugin but I’m not entirely sure. If so, how can I configure its behavior?




Jim Richard
SYSTEM ADMINISTRATOR III
(646) 338-8905
Tomas Krizek
2016-09-06 06:30:31 UTC
Permalink
Post by Jim Richard
So I have two-way trust setup and it seems to work.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
SSSD allows user names in the
That works just as described.
I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net,
the second being the Active Directory domain.
My desire is to have AD be the source for all user/authentication -
the AD users will use their creds to ssh in to all of the Centos hosts
in the idm.placeiq.net domain.
The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.
I’ve tried modifiying krb5.conf as such but it seems like I’m missing
a step.
[libdefaults]
#default_realm = IDM.PLACEIQ.NET
default_realm = IDM-AD.PLACEIQ.NET
I think my clients use the localauth plugin but I’m not entirely sure.
If so, how can I configure its behavior?
Jim Richard
SYSTEM ADMINISTRATOR III
(646) 338-8905
PlaceIQ:Location Data Accuracy
I don't think what you're asking for is possible to do as a FreeIPA
configuration. The documentation describes how to login without
prompting for passwords, but I think it is still necessary to provide
the username with AD realm when logging in.

If you're always logging in as the same user to certain machines, you
could configure a default user in the ssh_config.

Perhaps someone else will have a better answer.
--
Tomas Krizek
Jakub Hrozek
2016-09-06 06:57:06 UTC
Permalink
Post by Jim Richard
So I have two-way trust setup and it seems to work.
And as described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
That works just as described.
I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the second being the Active Directory domain.
My desire is to have AD be the source for all user/authentication - the AD users will use their creds to ssh in to all of the Centos hosts in the idm.placeiq.net domain.
The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.
I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step.
[libdefaults]
#default_realm = IDM.PLACEIQ.NET
default_realm = IDM-AD.PLACEIQ.NET
I think my clients use the localauth plugin but I’m not entirely sure. If so, how can I configure its behavior?
Put:
default_domain_suffix = AD.DOMAIN
into the [sssd] section of your sssd.conf.

This setting auto-qualifies any user or group queries unless you qualify
them yourself (so you need to qualify any IPA user/group lookups..).
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Loading...