sso w/ rhel 9 against active directory, (gssapi) has anyone gotten it to work?

Latest response

I've always joined my linux systems to a windows domain and used putty and now powershell 7 as well to connect without having to specify a password using GSSAPI authentication.

This worked with Centos 7, and Centos 8, but with RedHat 9 I have not for the life of me been able to get it to work has anyone? Do you have a write up how to make it work?

In the past it was pretty much as simple as:
- join the linux system to a domain
- verify you can login with an ad user
Prep to connect via GSSAPI:
- locate the linux computer object in AD
- edit properties, find 'Delegation' tab, select 'Trust this computer for delegation to any service (Kerberos only)'
- in putty specify the auto-login username to be 'username@domain'
- make sure the linux system hostname.domain resolves in dns
- ensure putty will attempt gss (it does by default)
- connect with putty without having to specify a password

Note:
Actually centos 8 required adding a line to /etc/krb5.conf, without it the SSO signin wouldn't work by default:

includedir /var/lib/sss/pubconf/krb5.include.d/

The steps above yield the following log when attempting to connect to ku.HOME.NET:

Nov 19 12:05:24 ku sshd[1810]: debug1: Forked child 2116.
Nov 19 12:05:24 ku sshd[2116]: debug1: Set /proc/self/oom_score_adj to 0
Nov 19 12:05:24 ku sshd[2116]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Nov 19 12:05:24 ku sshd[2116]: debug1: inetd sockets after dupping: 4, 4
Nov 19 12:05:24 ku sshd[2116]: Connection from 10.0.0.19 port 51633 on 10.0.0.18 port 22 rdomain ""
Nov 19 12:05:24 ku sshd[2116]: debug1: Local version string SSH-2.0-OpenSSH_8.7
Nov 19 12:05:24 ku sshd[2116]: debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.6
Nov 19 12:05:24 ku sshd[2116]: debug1: compat_banner: match: OpenSSH_for_Windows_8.6 pat OpenSSH* compat 0x04000000
Nov 19 12:05:24 ku sshd[2116]: debug1: SELinux support enabled [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: permanently_set_uid: 74/74 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: SSH2_MSG_KEXINIT received [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: algorithm: curve25519-sha256 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: kex: curve25519-sha256 need=64 dh_need=64 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: rekey out after 134217728 blocks [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: rekey in after 134217728 blocks [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: KEX done [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: userauth-request for user travis@HOME.NET service ssh-connection method none [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: attempt 0 failures 0 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: PAM: initializing for "travis@HOME.NET"
Nov 19 12:05:24 ku sshd[2116]: debug1: PAM: setting PAM_RHOST to "10.0.0.19"
Nov 19 12:05:24 ku sshd[2116]: debug1: PAM: setting PAM_TTY to "ssh"
Nov 19 12:05:24 ku sshd[2116]: debug1: userauth-request for user travis@HOME.NET service ssh-connection method gssapi-with-mic [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: attempt 1 failures 0 [preauth]
Nov 19 12:05:24 ku sshd[2116]: debug1: No credentials were supplied, or the credentials were unavailable or inaccessible\nNo key table entry found matching host/ku@\n\n

Additional:

$ hostname -f
ku.HOME.NET

$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 KU$@HOME.NET
   5 KU$@HOME.NET
   5 host/KU@HOME.NET
   5 host/KU@HOME.NET
   5 host/ku.HOME.NET@HOME.NET
   5 host/ku.HOME.NET@HOME.NET
   5 RestrictedKrbHost/KU@HOME.NET
   5 RestrictedKrbHost/KU@HOME.NET
   5 RestrictedKrbHost/ku.HOME.NET@HOME.NET
   5 RestrictedKrbHost/ku.HOME.NET@HOME.NET
Travis Loyd's picture

Responses