12 April,16 at 11:45 AM
Question:
How do I enable forwardable kerberos tickets via plink?
Answer:
You have to enable “Trust this computer for delegation to any service (Kerberos only)” in property of computer object in domain for the target Unix / Linux host.
Open ADUC --> Right-click the particular computer object and select property --> Go to Delegation tab --> Select “Trust this computer for delegation to any service (Kerberos only)” and then click apply.
When you use plink to establish ssh connection, use –option A to enable ticket forwarding, like
plink -ssh -A <Host Name/IP Address>
e.g. plink -ssh -A rhel.lab.local
plink also supports loading Putty profile, means you can establish ssh connection with kerberos forwarding enabled profile.
plink –load <profilename>
e.g. plink –load sshServer1
KB-8814: Non-forwardable Kerberos Ticket is Generated With Trust Delegation Enabled
KB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?
KB-3925: How to add Centrify parameter to a group policy
KB-2526: Cannot create consistently forwardable Kerberos tickets using Centrify OpenSSH
KB-1876: Cannot create Kerberos tickets using Centrify OpenSSH
KB-4662: How to refresh an AD user account's Kerberos ticket automatically via group policy
KB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?
KB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?
KB-6280: AD Users unable to mount kerberos-enabled NFSv4 shares on RHEL