Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2526: Cannot create consistently forwardable Kerberos tickets using Centrify OpenSSH

Centrify DirectControl ,  

12 April,16 at 11:08 AM

Applies to: All versions of Centrify DirectControl on *specific platforms
 
Question:
Consider the following scenario:
 
a) 2 Centrify servers are trusted for delegation as seen in Active Directory Users and Computers. (See: KB-2333: How to configure Centrify Putty to access a machine in a trusted domain with Kerberos Authentication)
b) Both servers are running Centrify's OpenSSH. The sshd_config was not changed.
c) On the client side, Centrify Putty is used with Kerberos settings in place.
d) A new TGT is received from the Windows client machine (klist shows it is current)
e) Forward and reverse lookup of both Centrify servers are fine from Windows.
f) In /etc/centrifydc/centrifydc.conf, krb5.forwardable.user.tickets is set to true
g) In /etc/centrifydc/centrifydc.conf, krb5.unique.cache.files is set to false
 
After the first hop with SSO, the command /usr/share/centrifydc/kerberos/bin/klist -f reports no credentials cache found. 
As a result, the second hop fails. 
 
Is there any reason for this?
 
Answer:
This is a known issue in our code and not SSHD itself. There is no workaround. 
 
This will be fixed in Centrify DirectControl 5.1.
 
Nore:
Excludes Centos 6.3, Debian 6, Fedora 17, Oracle Lunux EL 6u2

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.