[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Ritter, Marcel - RRZE
marcel.ritter at rrze.fau.de
Wed Jul 11 09:24:46 MDT 2012
Hi Quinn,
thanks for your hint: I still had an old out-of-date /etc/krb5.keytab
from a former installation of samba4 :-(
I simply copied secrets.keytab to /etc/krb5.keytab an everything
worked as described.
I'd really be interested in your progress concerning NFS4 - I've
tried to get this working some time ago - with mixed results in
a "real" Active Directory environment, so maybe I can repay my
debt ;-)
However, doing secure NFS using Samba4 DC would be pretty
cool :-)
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Mittwoch, 11. Juli 2012 10:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Btw, forgot to mention, when testing, make sure on the client you do a "kinit <user>" to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the "klist" command.
br,
Quinn
On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <qiet72 at gmail.com> wrote:
> Hi Marcel,
>
> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
> ii krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
> MIT Kerberos
> ii krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
> using MIT Kerberos
> ii libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
> ii libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
> ii libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> Support library
> ii libpam-krb5
> 4.5-3 PAM module for MIT Kerberos
> ii openssh-client
> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
> secure access to remote machines
>
> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
> ii krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
> MIT Kerberos
> ii krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
> using MIT Kerberos
> ii libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
> ii libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
> ii libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
> Support library
> ii openssh-client
> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
> secure access to remote machines
> ii openssh-server
> 1:5.9p1-5ubuntu1 secure shell (SSH) server, for
> secure access from remote machines
> samba Version 4.0.0beta3-GIT-UNKNOWN
>
> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
> /etc/hosts file and have all the principals needed added to the
> servers keytab file, but this is not necessary if you use the parameter.
> With the parameter, the only thing you need is to make sure is that on
> the server /var/lib/samba/secrets.keytab is copied or linked to
> /etc/krb5.keytab (sshd looks for it). You can use the keytab file as
> it is without copying any extra principals into it.
>
> You can have a very simple /etc/hosts on the client such as:
> 127.0.0.1 localhost
> 127.0.1.1 ubuntu-test
>
> This setup probably only works for ssh kerberos. nfsv4, pam logins,
> and other kerberos aware services may need strict checking. That is
> my next research project.
>
> For ssh debugging, on the server I used -ddd for sshd and looked at
> both syslog and auth.log under /var/log. On the client, I used ssh
> -vvvl <user> <server> For kerberos samba4 debugging, start samba with
> "-d 5" parameter and then "tail -f /var/log/samba/log.samba|grep
> Kerberos:"
>
> br,
> Quinn
>
>
>
> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
> marcel.ritter at rrze.fau.de> wrote:
>
>> Hi Quinn,
>>
>> I just tried your solution (my machine is also multi-homed). However
>> it doesn't work for me. The man-page of sshd_config also states, that
>> the behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>> krb5 libraries.
>>
>> Could you please have a look at the krb5 and openssh versions you're
>> using (and perhaps the linux distribution/version)?
>>
>> BTW: I'm running:
>> Ubuntu 12.04 LTS
>> openssh-server 5.9p1-5ubuntu1
>> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>
>> auth.log mentions (during failed login):
>> Unspecified GSS failure.
>> Minor code may provide more information:
>> Wrong principal in request
>>
>> Thanks,
>> Marcel
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von Quinn Plattel
>> Gesendet: Dienstag, 10. Juli 2012 16:08
>> An: samba
>> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
>> samba4's kerberos GSSAPI? [Solved]
>>
>> Hi,
>>
>> I solved my ssh GSSAPI problem. There were a lot of solutions on
>> google referring to a proper fqdn in the /etc/hosts file and having
>> the fqdn's/principals in the kerberos server's keytab file but I
>> found out that my problem was that the samba4/kerberos server was
>> running on a multi-homed machine and that the ssh server kerberos
>> authentication needed the following parameter in order for it to work on multi-homed machines:
>>
>> GSSAPIStrictAcceptorCheck no
>>
>> The default is yes, using "no" will, according to the manpage
>> "clients may authenticate against any service key stored in the
>> machine's default store."
>>
>> I hope this helps others that have similar setups as I do.
>>
>> Thank you all for your input.
>>
>> br,
>> Quinn
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list