Hide Forgot
Description of problem: On 5.10 client ,kinit as valid ipa user then ssh to 7.0 Server still requires root password Version-Release number of selected component (if applicable): [root@ibm-x3650m4-02-vm-05 ~]# rpm -q ipa-server ipa-server-3.3.3-4.el7.x86_64 [root@client510 ~]# rpm -q ipa-client ipa-client-2.1.3-7.el5 How reproducible: Always Steps to Reproduce: On server : 1. kinit as admin 2. add testuser 3.kinit as testuser [root@ibm-x3650m4-02-vm-05 ~]# kinit admin Password for admin: [root@ibm-x3650m4-02-vm-05 ~]# ipa user-add testusr --first testusr --last testusr --password Password: Enter Password again to verify: -------------------- Added user "testusr" -------------------- User login: testusr First name: testusr Last name: testusr Full name: testusr testusr Display name: testusr testusr Initials: tt Home directory: /home/testusr GECOS: testusr testusr Login shell: /bin/sh Kerberos principal: testusr Email address: testusr UID: 1936000011 GID: 1936000011 Password: True Member of groups: ipausers Kerberos keys available: True [root@ibm-x3650m4-02-vm-05 ~]# kinit testusr Password for testusr: Password expired. You must change it now. Enter new password: Enter it again: [root@ibm-x3650m4-02-vm-05 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_f3Qdb59 Default principal: testusr Valid starting Expires Service principal 11/20/2013 14:07:04 11/21/2013 14:07:04 krbtgt/TESTRELM.COM On client: 1.kinit as testuser 2.ssh $MASTER [root@client510 ~]# kinit testusr Password for testusr: [root@client510 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testusr Valid starting Expires Service principal 11/20/13 14:07:19 11/21/13 14:07:16 krbtgt/TESTRELM.COM 11/20/13 14:07:33 11/21/13 14:07:16 host/ibm-x3650m4-02-vm-05.testrelm.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@client510 ~]# echo $MASTER ibm-x3650m4-02-vm-05.testrelm.com [root@client510 ~]# ssh $MASTER root.com's password: Last login: Wed Nov 20 13:39:50 2013 from client510.testrelm.com Actual results: ssh still requires root password Expected results: ssh without asking password Additional info:
Do I read it right that you are sshing using root rather then testusr?
Given the output, it seems that way. ssh does not magically figure out the user from a Kerberos ticket. Closing the bug. Yi, please try ssh testusr@$MASTER instead and see if that works. If not, please feel free to reopen the bug.
ssh testusr@$MASTER works in this 7.0 server 5.10 client env. In other envs I've tested such as 7.0 server 7.0 client or 6.5 server 5.10 client, ssh with root does not require a password tho. [root@ibm-ls41-02 ~]# echo $MASTER ibm-x3650m4-01-vm-04.testrelm.com [root@ibm-ls41-02 ~]# ssh $MASTER Last login: Wed Nov 20 12:38:09 2013 from ibm-ls41-02.rhts.eng.bos.redhat.com ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by xdong. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/1140280 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/ibm-x3650m4-01-vm-04.testrelm.com Beaker Test information: HOSTNAME=ibm-x3650m4-01-vm-04.testrelm.com JOBID=547950 RECIPEID=1140280 RESULT_SERVER=127.0.0.1:7091 DISTRO=RedHatEnterpriseLinux-6.5 ARCHITECTURE=x86_64 Job Whiteboard: Client certification :: RHEL 5.10 i386 IPA CLient :: RHEL6.5 IPA SERVER Recipe Whiteboard: IPA MASTER ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** [root@ibm-x3650m4-01-vm-04 ~]# logout Connection to ibm-x3650m4-01-vm-04.testrelm.com closed.
Forgot to paste the tkt info : [root@ibm-ls41-02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: one Valid starting Expires Service principal 11/20/13 12:35:55 11/21/13 12:35:52 krbtgt/TESTRELM.COM 11/20/13 12:36:59 11/21/13 12:35:52 host/ibm-x3650m4-01-vm-04.testrelm.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I do think prompting for root passwd when we kinit as non-root ipa user and ssh to server makes more sense.But somehow it doesn't behave same way in some test envs I mentioned above.
Ahh after checking with Nalin I found that I checked the ticket in a wrong way. I ssh to the client and klist in the shell window ,in which $KRB5CCNAME is not set.I did GDM login and check directly instead, it worked fine. Closing as not a bug.