This should go to the list as well.... ---------- Forwarded message ---------- From: Quinn Plattel <[email protected]> Date: Tue, Jul 10, 2012 at 9:13 AM Subject: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? To: "Ritter, Marcel - RRZE" <[email protected]>
Hi Marcel, Maybe you could do a "klist -ke /etc/krb5.keytab" on both machines so we can see the differences? br, Quinn On Mon, Jul 9, 2012 at 5:17 PM, Ritter, Marcel - RRZE < [email protected]> wrote: > Hi Quinn, > > I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC, > no luck so far. > > However, after joining two VMs to this domain using Samba 3, ssh > logins work between those two machines (not towards the DC). > > The only relevant difference I found while searching for a solution, > were differences in the krb5.keytab: it looks like Samba4 and Samba3 > create different entries there (upper/lower case differ). I don't have > the VMs up and running at the moment, but I can supply the details if > it helps to fix this problem - just let me know. > > Bye, > Marcel > > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:[email protected]] > Im Auftrag von Quinn Plattel > Gesendet: Montag, 9. Juli 2012 15:17 > An: samba > Betreff: Re: [Samba] How do I get an ssh client to authenticate with > samba4's kerberos GSSAPI? > > Hi, > > Forgot to mention that the client side's ssh configuration > (/etc/ssh/ssh_config) has the following lines: > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > GSSAPITrustDns yes > > The server side ssh configuration (/etc/ssh/sshd_config) has the following > lines: > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > GSSAPICleanupCredentials yes > > br, > Quinn > > > On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <[email protected]> wrote: > > > Hi, > > > > I am doing some kerberos testing with samba4 using ssh. I have setup > > samba4 using the howto at > > http://wiki.samba.org/index.php/Samba4/HOWTOand active directory seems > to be working both with Windows and Linux clients. > > ssh unfortunately is not kerberos authenticating via GSSAPI. The > > client krb5.conf contains this: > > > > ===================================================== > > [libdefaults] > > default_realm = MYDOMAIN.NET > > > > krb4_config = /etc/krb.conf > > krb4_realms = /etc/krb.realms > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > dns_fallback = yes > > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > > > v4_instance_resolve = false > > v4_name_convert = { > > host = { > > rcmd = host > > ftp = ftp > > } > > plain = { > > something = something-else > > } > > } > > fcc-mit-ticketflags = true > > > > [realms] > > MYDOMAIN.NET = { > > kdc = cofil01.mydomain.net:88 > > default_domain = mydomain.net > > } > > > > [domain_realm] > > .mydomain.net = MYDOMAIN.NET > > mydomain.net = MYDOMAIN.NET > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > ==================================================== > > > > The server side krb5.conf contains this: > > ==================================================== > > [libdefaults] > > default_realm = MYDOMAIN.NET > > dns_lookup_realm = false > > dns_lookup_kdc = true > > ==================================================== > > > > No kerberos errors shows up in "log.samba" on the server side even > > though samba is started with "-d 5" > > On the client side, I do a "kinit user" - it succeeds. > > I then do a klist and it lists my current ticket for user. > > Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following > > lines: > > > > ==================================================== > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > ==================================================== > > > > "hostname -f" on the client reveals: > > ubuntu-test.mydomain.net > > > > I can both forward and reverse resolve cofil01.mydomain.net on the > > client side. > > Is it necessary to create a /etc/krb5.keytab file on the client in > > order for ssh kerberos authentication to work? > > > > > > -- > > br, > > Quinn > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Best regards/Med venlig hilsen, Quinn Plattel -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
