Hi Quinn, thanks for your hint: I still had an old out-of-date /etc/krb5.keytab from a former installation of samba4 :-(
I simply copied secrets.keytab to /etc/krb5.keytab an everything worked as described. I'd really be interested in your progress concerning NFS4 - I've tried to get this working some time ago - with mixed results in a "real" Active Directory environment, so maybe I can repay my debt ;-) However, doing secure NFS using Samba4 DC would be pretty cool :-) Bye, Marcel -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Quinn Plattel Gesendet: Mittwoch, 11. Juli 2012 10:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Btw, forgot to mention, when testing, make sure on the client you do a "kinit <user>" to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the "klist" command. br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <[email protected]> wrote: > Hi Marcel, > > On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : > ii krb5-config > 2.2 Configuration files for Kerberos > Version 5 > ii krb5-locales > 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for > MIT Kerberos > ii krb5-user > 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate > using MIT Kerberos > ii libgssapi-krb5-2 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > krb5 GSS-API Mechanism > ii libkrb5-26-heimdal > 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries > ii libkrb5-3 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries > ii libkrb5support0 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > Support library > ii libpam-krb5 > 4.5-3 PAM module for MIT Kerberos > ii openssh-client > 1:5.9p1-5ubuntu1 secure shell (SSH) client, for > secure access to remote machines > > On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): > ii krb5-config > 2.2 Configuration files for Kerberos > Version 5 > ii krb5-locales > 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for > MIT Kerberos > ii krb5-user > 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate > using MIT Kerberos > ii libgssapi-krb5-2 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > krb5 GSS-API Mechanism > ii libkrb5-26-heimdal > 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries > ii libkrb5-3 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries > ii libkrb5support0 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > Support library > ii openssh-client > 1:5.9p1-5ubuntu1 secure shell (SSH) client, for > secure access to remote machines > ii openssh-server > 1:5.9p1-5ubuntu1 secure shell (SSH) server, for > secure access from remote machines > samba Version 4.0.0beta3-GIT-UNKNOWN > > Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients > /etc/hosts file and have all the principals needed added to the > servers keytab file, but this is not necessary if you use the parameter. > With the parameter, the only thing you need is to make sure is that on > the server /var/lib/samba/secrets.keytab is copied or linked to > /etc/krb5.keytab (sshd looks for it). You can use the keytab file as > it is without copying any extra principals into it. > > You can have a very simple /etc/hosts on the client such as: > 127.0.0.1 localhost > 127.0.1.1 ubuntu-test > > This setup probably only works for ssh kerberos. nfsv4, pam logins, > and other kerberos aware services may need strict checking. That is > my next research project. > > For ssh debugging, on the server I used -ddd for sshd and looked at > both syslog and auth.log under /var/log. On the client, I used ssh > -vvvl <user> <server> For kerberos samba4 debugging, start samba with > "-d 5" parameter and then "tail -f /var/log/samba/log.samba|grep > Kerberos:" > > br, > Quinn > > > > On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE < > [email protected]> wrote: > >> Hi Quinn, >> >> I just tried your solution (my machine is also multi-homed). However >> it doesn't work for me. The man-page of sshd_config also states, that >> the behavior of "GSSAPIStrictAcceptorCheck" may depend on the used >> krb5 libraries. >> >> Could you please have a look at the krb5 and openssh versions you're >> using (and perhaps the linux distribution/version)? >> >> BTW: I'm running: >> Ubuntu 12.04 LTS >> openssh-server 5.9p1-5ubuntu1 >> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 >> >> auth.log mentions (during failed login): >> Unspecified GSS failure. >> Minor code may provide more information: >> Wrong principal in request >> >> Thanks, >> Marcel >> >> -----Ursprüngliche Nachricht----- >> Von: [email protected] >> [mailto:[email protected]] >> Im Auftrag von Quinn Plattel >> Gesendet: Dienstag, 10. Juli 2012 16:08 >> An: samba >> Betreff: Re: [Samba] How do I get an ssh client to authenticate with >> samba4's kerberos GSSAPI? [Solved] >> >> Hi, >> >> I solved my ssh GSSAPI problem. There were a lot of solutions on >> google referring to a proper fqdn in the /etc/hosts file and having >> the fqdn's/principals in the kerberos server's keytab file but I >> found out that my problem was that the samba4/kerberos server was >> running on a multi-homed machine and that the ssh server kerberos >> authentication needed the following parameter in order for it to work on >> multi-homed machines: >> >> GSSAPIStrictAcceptorCheck no >> >> The default is yes, using "no" will, according to the manpage >> "clients may authenticate against any service key stored in the >> machine's default store." >> >> I hope this helps others that have similar setups as I do. >> >> Thank you all for your input. >> >> br, >> Quinn >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
