[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Quinn Plattel qiet72 at gmail.com
Tue Jul 10 02:46:28 MDT 2012


Very interesting.  ssh does seem to authenticate via GSSAPI even though it
reports failure.

ssh does ask for password every time but it always tries to authenticate
with GSSAPI before trying pam.  I found out that my kerberous/samba4
password worked as well as my pam password and they are two different
passwords.
Even if you do a kdestroy or don't do a kinit at all, it will always try
GSSAPI with the specified user first.  It still does not explain why we
cannot have a passwordless ssh kerberos login.

br,
Quinn


On Tue, Jul 10, 2012 at 10:07 AM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi,
>
> Ok, I managed to find some more debugging info.
>
> When I kinit on the client, log.samba on the server reports (I put spaces
> around every "@" so that the list does not interpret them as e-mail
> addresses):
>
>   Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51790 for
> krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
>   Kerberos: Client sent patypes: 149
>   Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET
>   Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET
>   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- user @
> MYDOMAIN.NET
>   Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:34138 for
> krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
>   Kerberos: Client sent patypes: encrypted-timestamp, 149
>   Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET
>   Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET
>   Kerberos: ENC-TS Pre-authentication succeeded -- user @ MYDOMAIN.NETusing arcfour-hmac-md5
>   Kerberos: AS-REQ authtime: 2012-07-10T09:53:20 starttime: unset endtime:
> 2012-07-10T19:53:20 renew till: 2012-07-11T09:53:11
>   Kerberos: Client supported enctypes: arcfour-hmac-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
>   Kerberos: Requested flags: renewable-ok, proxiable, forwardable
>
> Then when I try to ssh to the server, log.samba reports:
>   Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51485 for
> host/cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable,
> proxiable, forwardable]
>   Kerberos: TGS-REQ authtime: 2012-07-10T09:53:20 starttime:
> 2012-07-10T09:53:39 endtime: 2012-07-10T19:53:20 renew till:
> 2012-07-11T09:53:11
>
> and ssh just reports:
>
>  debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
>  debug2: we sent a gssapi-with-mic packet, wait for reply
>  debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
>  debug2: we did not send a packet, disable method
>
> If I repeat the ssh command, nothing pops up in log.samba unless I kinit
> again.  When looking at the log.samba file, it looks like ssh GSSAPI
> succeeded but ssh thinks differently.
>
> br,
> Quinn
>
>


-- 
Best regards/Med venlig hilsen,
Quinn Plattel


More information about the samba mailing list