[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Quinn Plattel
qiet72 at gmail.com
Wed Jul 11 02:07:41 MDT 2012
Btw, forgot to mention, when testing, make sure on the client you do a
"kinit <user>" to get a valid ticket before doing your ssh login. You can
check if you have a valid ticket with the "klist" command.
br,
Quinn
On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <qiet72 at gmail.com> wrote:
> Hi Marcel,
>
> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
> ii krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
> MIT Kerberos
> ii krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
> using MIT Kerberos
> ii libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
> ii libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
> ii libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> Support library
> ii libpam-krb5
> 4.5-3 PAM module for MIT Kerberos
> ii openssh-client
> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
> secure access to remote machines
>
> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
> ii krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
> MIT Kerberos
> ii krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
> using MIT Kerberos
> ii libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
> ii libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
> ii libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> Support library
> ii openssh-client
> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
> secure access to remote machines
> ii openssh-server
> 1:5.9p1-5ubuntu1 secure shell (SSH) server, for
> secure access from remote machines
> samba Version 4.0.0beta3-GIT-UNKNOWN
>
> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
> /etc/hosts file and have all the principals needed added to the servers
> keytab file, but this is not necessary if you use the parameter.
> With the parameter, the only thing you need is to make sure is that on the
> server /var/lib/samba/secrets.keytab is copied or linked to
> /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is
> without copying any extra principals into it.
>
> You can have a very simple /etc/hosts on the client such as:
> 127.0.0.1 localhost
> 127.0.1.1 ubuntu-test
>
> This setup probably only works for ssh kerberos. nfsv4, pam logins, and
> other kerberos aware services may need strict checking. That is my next
> research project.
>
> For ssh debugging, on the server I used -ddd for sshd and looked at both
> syslog and auth.log under /var/log. On the client, I used ssh -vvvl <user>
> <server>
> For kerberos samba4 debugging, start samba with "-d 5" parameter and then
> "tail -f /var/log/samba/log.samba|grep Kerberos:"
>
> br,
> Quinn
>
>
>
> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
> marcel.ritter at rrze.fau.de> wrote:
>
>> Hi Quinn,
>>
>> I just tried your solution (my machine is also multi-homed). However it
>> doesn't work for me. The man-page of sshd_config also states, that the
>> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>> krb5 libraries.
>>
>> Could you please have a look at the krb5 and openssh versions you're
>> using (and perhaps the linux distribution/version)?
>>
>> BTW: I'm running:
>> Ubuntu 12.04 LTS
>> openssh-server 5.9p1-5ubuntu1
>> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>
>> auth.log mentions (during failed login):
>> Unspecified GSS failure.
>> Minor code may provide more information:
>> Wrong principal in request
>>
>> Thanks,
>> Marcel
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von Quinn Plattel
>> Gesendet: Dienstag, 10. Juli 2012 16:08
>> An: samba
>> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
>> samba4's kerberos GSSAPI? [Solved]
>>
>> Hi,
>>
>> I solved my ssh GSSAPI problem. There were a lot of solutions on google
>> referring to a proper fqdn in the /etc/hosts file and having the
>> fqdn's/principals in the kerberos server's keytab file but I found out that
>> my problem was that the samba4/kerberos server was running on a multi-homed
>> machine and that the ssh server kerberos authentication needed the
>> following parameter in order for it to work on multi-homed machines:
>>
>> GSSAPIStrictAcceptorCheck no
>>
>> The default is yes, using "no" will, according to the manpage "clients
>> may authenticate against any service key stored in the machine's default
>> store."
>>
>> I hope this helps others that have similar setups as I do.
>>
>> Thank you all for your input.
>>
>> br,
>> Quinn
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
More information about the samba
mailing list