Hi, Using the following tutorials: https://help.ubuntu.com/community/SingleSignOn https://help.ubuntu.com/community/Kerberos
I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter "GSSAPIStrictAcceptorCheck no") on a normal kerberos server setup. I learned from this that ssh requires "host/server.mydomain.net @ MYDOMAIN.NET" in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab. On the client, /etc/ssh/ssh_config requires at least "GSSAPIAuthentication yes". sshd requires at least "KerberosAuthentication yes" and "GSSAPIAuthentication yes" in the /etc/ssh/sshd_config. On a real kerberos server, you use the following commands in the kadmin tool to add the necessary principals for ssh to work properly: addprinc user # Adds a valid user to the kerberos principal database addprinc -randkey host/server.mydomain.net # Adds a host principal to the principal database ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals host/server.mydomain.net to the /etc/krb5.keytab Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On the client side, "kinit user", then ssh -l user <server> That's it. Now I just have to see if I can get a "host/server.mydomain.net" principal into the samba domain somehow. Note: once I get single-sign-on to work, then it should not be necessary to do a kinit first. br, Quinn On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel <[email protected]> wrote: > > I think I take this back. This more a workaround than a solution. The > workaround makes sshd use any principal found in the database, but a proper > kerberos setup would look for the client's hostname principal only. > The search goes on for a proper samba4 kerberos setup. :-) > > br, > Quinn > > > On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <[email protected]> wrote: > >> Hi, >> >> I solved my ssh GSSAPI problem. There were a lot of solutions on google >> referring to a proper fqdn in the /etc/hosts file and having the >> fqdn's/principals in the kerberos server's keytab file but I found out that >> my problem was that the samba4/kerberos server was running on a multi-homed >> machine and that the ssh server kerberos authentication needed the >> following parameter in order for it to work on multi-homed machines: >> >> GSSAPIStrictAcceptorCheck no >> >> The default is yes, using "no" will, according to the manpage "clients >> may authenticate against any service key stored in the machine's default >> store." >> >> I hope this helps others that have similar setups as I do. >> >> Thank you all for your input. >> >> br, >> Quinn >> >> >> >> > > > -- > Best regards/Med venlig hilsen, > Quinn Plattel > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
