Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Thu, 12 Jul 2012 18:41:43 -0700

If you configure PAM and kerberos properly, you do not need to do a kinit first. I get them automatically when I login. They automatically renew when I type my password into the GNOME screensaver. 

Btw, I am also using Samba 3, not Samba4.

On 07/11/2012 03:07 AM, Quinn Plattel wrote:

Btw, forgot to mention, when testing, make sure on the client you do a
"kinit <user>" to get a valid ticket before doing your ssh login.  You can
check if you have a valid ticket with the "klist" command.

br,
Quinn

On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <[email protected]> wrote:


Hi Marcel,

On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
ii  krb5-config
2.2                                     Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
Support library
ii  libpam-krb5
4.5-3                                   PAM module for MIT Kerberos
ii  openssh-client
1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
secure access to remote machines

On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
ii  krb5-config
2.2                                     Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
Support library
ii  openssh-client
1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
secure access to remote machines
ii  openssh-server
1:5.9p1-5ubuntu1                        secure shell (SSH) server, for
secure access from remote machines
    samba Version 4.0.0beta3-GIT-UNKNOWN

Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
/etc/hosts file and have all the principals needed added to the servers
keytab file, but this is not necessary if you use the parameter.
With the parameter, the only thing you need is to make sure is that on the
server /var/lib/samba/secrets.keytab is copied or linked to
/etc/krb5.keytab (sshd looks for it).  You can use the keytab file as it is
without copying any extra principals into it.

You can have a very simple /etc/hosts on the client such as:
127.0.0.1    localhost
127.0.1.1    ubuntu-test

This setup probably only works for ssh kerberos. nfsv4, pam logins, and
other kerberos aware services may need strict checking.  That is my next
research project.

For ssh debugging, on the server I used -ddd for sshd and looked at both
syslog and auth.log under /var/log.  On the client, I used ssh -vvvl <user>
<server>
For kerberos samba4 debugging, start samba with "-d 5" parameter and then
"tail -f /var/log/samba/log.samba|grep Kerberos:"

br,
Quinn



On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
[email protected]> wrote:


Hi Quinn,

I just tried your solution (my machine is also multi-homed). However it
doesn't work for me. The man-page of sshd_config also states, that the
behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
krb5 libraries.

Could you please have a look at the krb5 and openssh versions you're
using (and perhaps the linux distribution/version)?

BTW: I'm running:
          Ubuntu 12.04 LTS
         openssh-server 5.9p1-5ubuntu1
         libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1

auth.log mentions (during failed login):
         Unspecified GSS failure.
         Minor code may provide more information:
         Wrong principal in request

Thanks,
     Marcel

-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:[email protected]]
Im Auftrag von Quinn Plattel
Gesendet: Dienstag, 10. Juli 2012 16:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with
samba4's kerberos GSSAPI? [Solved]

Hi,

I solved my ssh GSSAPI problem.  There were a lot of solutions on google
referring to a proper fqdn in the /etc/hosts file and having the
fqdn's/principals in the kerberos server's keytab file but I found out that
my problem was that the samba4/kerberos server was running on a multi-homed
machine and that the ssh server kerberos authentication needed the
following parameter in order for it to work on multi-homed machines:

GSSAPIStrictAcceptorCheck no

The default is yes, using "no" will, according to the manpage "clients
may authenticate against any service key stored in the machine's default
store."

I hope this helps others that have similar setups as I do.

Thank you all for your input.

br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba









--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to