I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-)
br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <[email protected]> wrote: > Hi, > > I solved my ssh GSSAPI problem. There were a lot of solutions on google > referring to a proper fqdn in the /etc/hosts file and having the > fqdn's/principals in the kerberos server's keytab file but I found out that > my problem was that the samba4/kerberos server was running on a multi-homed > machine and that the ssh server kerberos authentication needed the > following parameter in order for it to work on multi-homed machines: > > GSSAPIStrictAcceptorCheck no > > The default is yes, using "no" will, according to the manpage "clients may > authenticate against any service key stored in the machine's default store." > > I hope this helps others that have similar setups as I do. > > Thank you all for your input. > > br, > Quinn > > > > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
