On Mon, Oct 28, 2019 at 8:47 PM James M. Pulver <jmp242@cornell.edu> wrote:
I'm working with trying to use kerberos with our X2Go server from different OSs. We are running a Server 2016 Active Directory with the UNIX attributes. All computers are joined to this AD.
On Windows 10, I can get GSSAPI to authenticate and let me log in without a password. However, I cannot then ssh to a different linux computer without doing a kinit.
So klist is not reporting any tickets, right? Please provide the output of klist -f.
If I check "delegatation of GSSAPI Credentials to the server, I get various cp errors around files with "odd" characters, or unable to find the keyring.
Please provide more details. Do you see these errors on the Linux server or elsewhere? Please try to post them here.
On other Scientific Linux 7 computers, I can't even get the Kerberos 5 authentication to work, it just gives me an error to login with my password. This does work with the first remote linux computer via ssh.
Well, x2go is using libssh. Maybe the libssh of Scientific Linux is too old. Unfortunately I do no know what version is required for this to work. Can you try with a newer version?
I have tried enabling delegation in AD for the computer account of my primary jump host, no change I can see.
So - why is X2Go different on Linux with regard to using Kerberos 5 auth when straight SSH works, and 2 has anyone figured out the windows equivalent to kinit -F for a user so they can do 2 hops?
As I wrote above X2go is not using openssh but libssh. I would love to have x2go use openssh.
Regarding kinit -f (-F is _suppressing_ forwarding!) I have no idea how to do that on windows. AFAIR kinit is not provided at all.
Uli