[Samba] samba4 success/failure report...all's working despite kerberized ssh
Stéphane PURNELLE
stephane.purnelle at corman.be
Thu Feb 20 04:10:12 MST 2014
Just a tip...
is all server have same time ?
not sure that will help you..
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-technical-bounces at lists.samba.org wrote on 20/02/2014 10:46:38:
> De : Georg Hopp <georg at steffers.org>
> A : Sumit Bose <sbose at redhat.com>,
> Cc : samba-technical at lists.samba.org
> Date : 20/02/2014 10:47
> Objet : Re: samba4 success/failure report...all's working despite
> kerberized ssh
> Envoyé par : samba-technical-bounces at lists.samba.org
>
> On Wed, Feb 19, 2014 at 12:09:32PM +0000, Georg Hopp wrote:
> > On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote:
> > >
> > > This looks all good, the additional output after kdestroy is due to
the
> > > fact that the TGT must be requested here too.
> > >
> > > Can you run sshd on mail with KRB5_TRACE as well?
> > >
> > > bye,
> > > Sumit
> > >
> >
> > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
> >
> > I am sorry, this does not reveal any new messages...
> >
> > but I think kerberos authentication is active:
>
> OK, I have no more idea...
>
> I also added a .k5login file in the users homedir in the server.
> Content was only one line:
>
> test at WEIRD-WEB-WORKERS.ORG
>
> But this hasen't helped either. If I understand the use of .k5login
> correct it's purpose is for mappings if the username within the
> directory is not the same as on the system, e.g. if I want to
> let test log into an account foo on the system.
>
> To summarize:
>
> - The user is configured in samba4 ldap (no local user)
> - Not using gssapi and use password challange works.
> * It does not matter if I deactivate gssapi in the client or server,
> as soon as it is deactivated I get a password challange and can
> log in.
> - As soon as client and server are configured to use gssapi the server
> closes the connection when it should process the gssapi-with-mic
> package.
>
> Hmm, this gssapi-with-mic packet should be traceable...
> I could send in a tcpdump if that would be of any help but I
> don't know what options to use for it to generate useful output.
>
> Can anyone help me with this...
>
> best regards
> Georg
> [attachment "signature.asc" deleted by Stéphane PURNELLE/COR/SOPARIND]
More information about the samba
mailing list