vincent at cojot.name
2021-Jun-05 20:20 UTC
[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs
Hi Rowland, You are 100% right and perhaps what I am seeing in only sssd stuff. I've been able to locate a BZ (#1) talking about something similar so perhaps I only need to 'net ads keytab add' on the Linux hosts. Sorry for the noise, #1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301 Vincent On Sat, 5 Jun 2021, Rowland penny via samba wrote:> On 05/06/2021 20:56, Vincent S. Cojot via samba wrote: >> >> Hi All, >> >> I've observed some strange thing and I know too little about Windows to >> figure out what's going on so I would love it if someone could shed some >> light.. >> >> Here's the thing: >> >> From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the >> remote server's hostname but if I use a VIP hosted on the same server, my >> user gets prompted for a UNIX password (I'm not using SSH keys in this >> environment, only plain AD with bind). >> >> In more detail: >> my RHEL servers are joined to the domain using this: >> >> # realm list >> ad.lasthome.solace.krynn >> ?type: kerberos >> ?realm-name: AD.LASTHOME.SOLACE.KRYNN >> ?domain-name: ad.lasthome.solace.krynn >> ?configured: kerberos-member >> ?server-software: active-directory >> ?client-software: sssd >> ?required-package: oddjob >> ?required-package: oddjob-mkhomedir >> ?required-package: sssd >> ?required-package: adcli >> ?required-package: samba-common-tools >> ?login-formats: %U >> ?login-policy: allow-realm-logins >> >> From any Windows10 desktop in the home, I can PuTTY without a password >> prompt to <hostname1.lasthome.solace.krynn>. >> >> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets >> prompted for its password. >> >> Any ideas? I'm just stumped.. (I don't use Win10 but some of my children >> do and one has a need to ssh from it to a Linux box). >> >> Thank you, >> >> Vincent >> > > you appear to be trying to connect to 'floating1.lasthome.solace.krynn' but > your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of course you > are going to get asked for a password. > > Can I ask where Samba comes into this ? If there are shares involved and the > Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but if you > just want authentication, then you don't need Samba, you can just use sssd. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
vincent at cojot.name
2021-Jun-05 20:30 UTC
[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs
Also, I just tested this and it's entirely similar: I can PuTTY without a password prompt to <hostname1.lasthome.solace.krynn> or <hostname1.ad.lasthome.solace.krynn> If I try to PuTTY to <floating1.lasthome.solace.krynn>, or <floating1.ad.lasthome.solace.krynn> it prompts for a password. The servers are running RHEL8.4. I probably need to run 'net ads keytab <something>' so I'll be trying to figure out the 'something' part.. :) Sorry again for the noise, Vincent On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:> > Hi Rowland, > > You are 100% right and perhaps what I am seeing in only sssd stuff. I've been > able to locate a BZ (#1) talking about something similar so perhaps I > only need to 'net ads keytab add' on the Linux hosts. > > Sorry for the noise, > > #1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301 > > Vincent > > On Sat, 5 Jun 2021, Rowland penny via samba wrote: > >> On 05/06/2021 20:56, Vincent S. Cojot via samba wrote: >>> >>> Hi All, >>> >>> I've observed some strange thing and I know too little about Windows to >>> figure out what's going on so I would love it if someone could shed some >>> light.. >>> >>> Here's the thing: >>> >>> From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the >>> remote server's hostname but if I use a VIP hosted on the same server, >>> my >>> user gets prompted for a UNIX password (I'm not using SSH keys in this >>> environment, only plain AD with bind). >>> >>> In more detail: >>> my RHEL servers are joined to the domain using this: >>> >>> # realm list >>> ad.lasthome.solace.krynn >>> ?type: kerberos >>> ?realm-name: AD.LASTHOME.SOLACE.KRYNN >>> ?domain-name: ad.lasthome.solace.krynn >>> ?configured: kerberos-member >>> ?server-software: active-directory >>> ?client-software: sssd >>> ?required-package: oddjob >>> ?required-package: oddjob-mkhomedir >>> ?required-package: sssd >>> ?required-package: adcli >>> ?required-package: samba-common-tools >>> ?login-formats: %U >>> ?login-policy: allow-realm-logins >>> >>> From any Windows10 desktop in the home, I can PuTTY without a password >>> prompt to <hostname1.lasthome.solace.krynn>. >>> >>> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets >>> prompted for its password. >>> >>> Any ideas? I'm just stumped.. (I don't use Win10 but some of my children >>> do and one has a need to ssh from it to a Linux box). >>> >>> Thank you, >>> >>> Vincent >>> >> >> you appear to be trying to connect to 'floating1.lasthome.solace.krynn' >> but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of >> course you are going to get asked for a password. >> >> Can I ask where Samba comes into this ? If there are shares involved and >> the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but >> if you just want authentication, then you don't need Samba, you can just >> use sssd. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >