[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
Rowland penny
rpenny at samba.org
Mon Apr 12 19:11:26 UTC 2021
On 12/04/2021 18:59, Nicola Mingotti via samba wrote:
>
>
> FYI. About the public key auth. @bagajjal
> <https://github.com/bagajjal> in github openssh channels says he will
> ask to a Windows Auth expert.
> the issue is in win32 api LsaLogonUser() .
>
> Abouth the Kerberos auth Linux-Linux, what did you do to have it working
> besides what is written in "OpenSSH single sign on"? That info to me was
> not enough to have it running.
OK, I did it like this (just tested again):
You require these lines in smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes
and in /etc/security/pam_winbind.conf (if they are not set in
/etc/pam.d/common-auth):
krb5_auth = yes
krb5_ccache_type = FILE
Forward and reverse DNS must be working
SSH server setup
In /etc/ssh/sshd_config ensure you have the following options set:
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
Then restart sshd.
SSH client setup
For the client side, ensure you have the following set under an
appropriate "Host" section in /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
You must have a keytab /etc/krb5.keytab on the server
You can export this on the server with:
sudo net ads keytab create
Once everything is set up, login like this:
rowland at devstation:~$ ssh -K rp400.samdom.example.com
Linux rp400 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 12 20:01:28 2021 from 192.168.0.49
rowland at rp400:~ $
Rowland
More information about the samba
mailing list