[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Ritter, Marcel - RRZE marcel.ritter at rrze.fau.de
Thu Jul 19 13:34:44 MDT 2012 

Hi Quinn,

Maybe I can help with this:

"That's it.  Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow."

I just tried to get rid of the "GSSAPIStrictAcceptorCheck no" option myself
on the Samba 4 DC - while still using GSSAPI based ssh login.

Doing this involves a very, very dirty hack:

1. Copy samba 4 secrets.keytab to /etc/krb5.keytab
    (this one contains upper case HOST/ principals).
2. Principal names are stored as strings in the keytab,
    so let's use sed to turn upper into lower case
    (yes I know, this is very, very dirty - but it's just a 
    prove of what I suspected):
        sed -i s+HOST+host+g /etc/krb5.keytab
3. Remove the  "GSSAPIStrictAcceptorCheck no" option from
    sshd_config and restart sshd.
4. Try to log in using ssh
    -> works for me (and I hope for everyone else).

Somehow MS AD and therefore Samba 4 seem to treat
principals case insensitive, while standard kerberos
implementations are case sensitive.
BTW: klist reports a host/... principal (lower case),
          after trying a GSSAPI ssh login - so this is the
          principal sent by ssh to the server, that looks
          for a match in krb5.keytab - and fails because
          by default we only have HOST/... principal there.

I guess the easiest way would be to store principals
in lower case only during a provision run of samba4.

This may however cause other problems - I guess some
samba core developer needs to have a look at this.

But the only principal I ever encountered, that needed to be
upper case was the HTTP/ one ...

Hope this helps,
    Marcel


-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Donnerstag, 19. Juli 2012 16:23
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Hi,

Using the following tutorials:
https://help.ubuntu.com/community/SingleSignOn
https://help.ubuntu.com/community/Kerberos

I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter "GSSAPIStrictAcceptorCheck no") on a normal kerberos server setup.  I learned from this that ssh requires "host/server.mydomain.net @ MYDOMAIN.NET"
in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab.
On the client, /etc/ssh/ssh_config requires at least "GSSAPIAuthentication yes".  sshd requires at least "KerberosAuthentication yes" and "GSSAPIAuthentication yes" in the /etc/ssh/sshd_config.

On a real kerberos server, you use the following commands in the kadmin tool to add the necessary principals for ssh to work properly:
addprinc user                                                        # Adds
a valid user to the kerberos principal database
addprinc -randkey host/server.mydomain.net           # Adds a host
principal to the principal database
ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals host/server.mydomain.net to the /etc/krb5.keytab

Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On the client side, "kinit user", then ssh -l user <server>

That's it.  Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow.

Note: once I get single-sign-on to work, then it should not be necessary to do a kinit first.

br,
Quinn

On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel <qiet72 at gmail.com> wrote:

>
> I think I take this back.  This more a workaround than a solution.  
> The workaround makes sshd use any principal found in the database, but 
> a proper kerberos setup would look for the client's hostname principal only.
> The search goes on for a proper samba4 kerberos setup. :-)
>
> br,
> Quinn
>
>
> On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>
>> Hi,
>>
>> I solved my ssh GSSAPI problem.  There were a lot of solutions on 
>> google referring to a proper fqdn in the /etc/hosts file and having 
>> the fqdn's/principals in the kerberos server's keytab file but I 
>> found out that my problem was that the samba4/kerberos server was 
>> running on a multi-homed machine and that the ssh server kerberos 
>> authentication needed the following parameter in order for it to work on multi-homed machines:
>>
>> GSSAPIStrictAcceptorCheck no
>>
>> The default is yes, using "no" will, according to the manpage 
>> "clients may authenticate against any service key stored in the 
>> machine's default store."
>>
>> I hope this helps others that have similar setups as I do.
>>
>> Thank you all for your input.
>>
>> br,
>> Quinn
>>
>>
>>
>>
>
>
> --
> Best regards/Med venlig hilsen,
> Quinn Plattel
>



--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list