Hi Quinn, here's the output of klist on my samba 3 client and the samba 4 server. Ssh based login works fine on the samba 3 machine - but requires "GSSAPIStrictAcceptorCheck no" on the samba 4 host.
I'm still not sure, weather this is a multi-home issue - it could also be caused by case sensitivity of Kerberos: As you can see the "host/" Principal is stored in lower case on samba 3 (were things work as expected), but in upper case on samba 4 machines (where the above option is required to make things work). This may cause problems for other services (such as NFS) that cannot be overruled by some config option. # Samba 3: utest@testhost1:~$ sudo klist -ket /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 06/10/12 09:53:26 host/[email protected] (des-cbc-crc) 3 06/10/12 09:53:26 host/[email protected] (des-cbc-md5) 3 06/10/12 09:53:26 host/[email protected] (arcfour-hmac) 3 06/10/12 09:53:26 host/[email protected] (des-cbc-crc) 3 06/10/12 09:53:26 host/[email protected] (des-cbc-md5) 3 06/10/12 09:53:26 host/[email protected] (arcfour-hmac) 3 06/10/12 09:53:26 [email protected] (des-cbc-crc) 3 06/10/12 09:53:26 [email protected] (des-cbc-md5) 3 06/10/12 09:53:26 [email protected] (arcfour-hmac) # Samba 4: utest@atom:~$ sudo klist -ket /opt/samba4/var/lib/samba/private/secrets.keytab Keytab name: FILE:/opt/samba4/var/lib/samba/private/secrets.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 02/25/12 11:22:52 HOST/[email protected] (des-cbc-crc) 1 02/25/12 11:22:52 HOST/[email protected] (des-cbc-crc) 1 02/25/12 11:22:52 [email protected] (des-cbc-crc) 1 02/25/12 11:22:52 HOST/[email protected] (des-cbc-md5) 1 02/25/12 11:22:52 HOST/[email protected] (des-cbc-md5) 1 02/25/12 11:22:52 [email protected] (des-cbc-md5) 1 02/25/12 11:22:52 HOST/[email protected] (arcfour-hmac) 1 02/25/12 11:22:52 HOST/[email protected] (arcfour-hmac) 1 02/25/12 11:22:52 [email protected] (arcfour-hmac) 1 02/25/12 11:22:52 HOST/[email protected] (aes128-cts-hmac-sha1-96) 1 02/25/12 11:22:52 HOST/[email protected] (aes128-cts-hmac-sha1-96) 1 02/25/12 11:22:52 [email protected] (aes128-cts-hmac-sha1-96) 1 02/25/12 11:22:52 HOST/[email protected] (aes256-cts-hmac-sha1-96) 1 02/25/12 11:22:52 HOST/[email protected] (aes256-cts-hmac-sha1-96) 1 02/25/12 11:22:52 [email protected] (aes256-cts-hmac-sha1-96) BTW: You can force ssh logins to only use GSSAPI authentication by using ssh -o PreferredAuthentications=gssapi-with-mic ... Bye, Marcel -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 09:14 An: samba Betreff: [Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? This should go to the list as well.... ---------- Forwarded message ---------- From: Quinn Plattel <[email protected]> Date: Tue, Jul 10, 2012 at 9:13 AM Subject: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? To: "Ritter, Marcel - RRZE" <[email protected]> Hi Marcel, Maybe you could do a "klist -ke /etc/krb5.keytab" on both machines so we can see the differences? br, Quinn On Mon, Jul 9, 2012 at 5:17 PM, Ritter, Marcel - RRZE < [email protected]> wrote: > Hi Quinn, > > I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC, > no luck so far. > > However, after joining two VMs to this domain using Samba 3, ssh > logins work between those two machines (not towards the DC). > > The only relevant difference I found while searching for a solution, > were differences in the krb5.keytab: it looks like Samba4 and Samba3 > create different entries there (upper/lower case differ). I don't have > the VMs up and running at the moment, but I can supply the details if > it helps to fix this problem - just let me know. > > Bye, > Marcel > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] > Im Auftrag von Quinn Plattel > Gesendet: Montag, 9. Juli 2012 15:17 > An: samba > Betreff: Re: [Samba] How do I get an ssh client to authenticate with > samba4's kerberos GSSAPI? > > Hi, > > Forgot to mention that the client side's ssh configuration > (/etc/ssh/ssh_config) has the following lines: > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > GSSAPITrustDns yes > > The server side ssh configuration (/etc/ssh/sshd_config) has the > following > lines: > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > GSSAPICleanupCredentials yes > > br, > Quinn > > > On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <[email protected]> wrote: > > > Hi, > > > > I am doing some kerberos testing with samba4 using ssh. I have > > setup > > samba4 using the howto at > > http://wiki.samba.org/index.php/Samba4/HOWTOand active directory > > seems > to be working both with Windows and Linux clients. > > ssh unfortunately is not kerberos authenticating via GSSAPI. The > > client krb5.conf contains this: > > > > ===================================================== > > [libdefaults] > > default_realm = MYDOMAIN.NET > > > > krb4_config = /etc/krb.conf > > krb4_realms = /etc/krb.realms > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > dns_fallback = yes > > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > > > v4_instance_resolve = false > > v4_name_convert = { > > host = { > > rcmd = host > > ftp = ftp > > } > > plain = { > > something = something-else > > } > > } > > fcc-mit-ticketflags = true > > > > [realms] > > MYDOMAIN.NET = { > > kdc = cofil01.mydomain.net:88 > > default_domain = mydomain.net > > } > > > > [domain_realm] > > .mydomain.net = MYDOMAIN.NET > > mydomain.net = MYDOMAIN.NET > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > ==================================================== > > > > The server side krb5.conf contains this: > > ==================================================== > > [libdefaults] > > default_realm = MYDOMAIN.NET > > dns_lookup_realm = false > > dns_lookup_kdc = true > > ==================================================== > > > > No kerberos errors shows up in "log.samba" on the server side even > > though samba is started with "-d 5" > > On the client side, I do a "kinit user" - it succeeds. > > I then do a klist and it lists my current ticket for user. > > Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the > > following > > lines: > > > > ==================================================== > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > ==================================================== > > > > "hostname -f" on the client reveals: > > ubuntu-test.mydomain.net > > > > I can both forward and reverse resolve cofil01.mydomain.net on the > > client side. > > Is it necessary to create a /etc/krb5.keytab file on the client in > > order for ssh kerberos authentication to work? > > > > > > -- > > br, > > Quinn > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Best regards/Med venlig hilsen, Quinn Plattel -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
