samba4 success/failure report...all's working despite kerberized ssh

Georg Hopp georg at steffers.org
Tue Feb 18 06:13:53 MST 2014 

Hi,

this is my success and failure report of installing samba 4.1.4
as an account management and authentication system for a heterogenous
computer network consisting of linux servers and linux/windows
user workstations.

The linux systems run under an up to date gentoo and the one windows
machine is a Windows7 professional.

All these machines are bridged to the same network.  Some are connected
via openvpn. Currently these run on a dual stack IPv4 and IPv6.
In this report I fokus on the samba machine (DC), the Windows machine
and two further linux machines (www and mail).

First I created as dedicated machine for the DC. The installed samba
using portage and followed the instructions on

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO.

I use the internal samba DNS as this was the easiest solution for the
moment. The installation worked without any trouble at all. I was able
to add the windows machine to the domain.
I installed the Windows Remote Administration Tools on the Windows and
added a user test as well as some linux machines (www and mail) with them.
I also configured the DNS entries for these linux machines.

Here is the current domain configuration:

Forest           : weird-web-workers.org
Domain           : weird-web-workers.org
Netbios domain   : WWWORKERS
DC name          : samba.weird-web-workers.org
DC netbios name  : SAMBA
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name

The next goal was to be able to log into the linux machines with this
test user.

I followed the instructions under

https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd

First I only managed to use plain ldap authentication until I realized that
I need a kerberized openldap to get the kerberized LDAP authentication
working. This seems to be a flow with the gentoo linux sssd useflags.
After I added kerberos support to my openldap installation everything worked
as described on that page.

Now I wanted to use the samba4 as a KDC for kerberized ssh authentication
(with a TGT). I am not very experienced with kerberos at all and I still
haven't got it working.

Anyway here are the things I did:

- export a keytab for the principals mail$, MAIL$, host/mail, HOST/mail,
  host/mail.wierd-web-workers.org and HOST/mail.weird-web-workers.org
  and saved it as /etc/krb5.keytab on mail.
- the same for www.
- make sure openssh is build with kerberos support on both mail and www.
- add the following configuration options to sshd_config on both hosts:
   * KerberosAuthentication yes
   * KerberosTicketCleanup yes
   * GSSAPIAuthentication yes
   * GSSAPICleanupCredentials yes
   * UseDNS yes
- add the following configuration options to ssh_config on both hosts:
   * RSAAuthentication yes
   * PasswordAuthentication yes
   * GSSAPITrustDns yes
- add "kerberos method = secrets and keytab" to the DC smb.conf
- reload samba config on DC and restart sshd on www and mail

Another note... samba, www and mail are lxc container on the same host.
So the time on them is in perfect sync.
Also I am able to forward and reverse lookup each of them from each of
them. They all use the samba DNS for name resolving.

Next I login from my workstation to www as the user test. The login
succeeds and I have a TGT afterwords.

Ticket cache: FILE:/tmp/krb5cc_2000_Nc0h9d
Default principal: test @ WEIRD-WEB-WORKERS.ORG

Valid starting       Expires              Service principal
02/18/2014 13:42:07  02/18/2014 23:42:07  krbtgt/WEIRD-WEB-WORKERS.ORG @ WEIRD-WEB-WORKERS.ORG
	renew until 02/19/2014 13:42:07

This ticket renews with every login from my workstation. But when I now try
to ssh into mail I got a strange behaviour. It seems that the sshd on
mail simply stops...

Here is the output of /usr/sbin/sshd -ddd -p 2222:

debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 446
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 2001:4ba0:ffff:138:1::120 port 59012
debug1: HPN Disabled: 0, HPN Buffer Size: 87380
debug1: Client protocol version 2.0; client software version OpenSSH_6.4p1-hpn14v2
SSH: Server;Ltype: Version;Remote: 2001:4ba0:ffff:138:1::120-59012;Protocol: 2.0;Client: OpenSSH_6.4p1-hpn14v2
debug1: match: OpenSSH_6.4p1-hpn14v2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4p1-hpn14v2
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 1117
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: MYFLAG IS 1 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: AUTH STATE IS 0 [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib @ openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib @ openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 @ openssh.com,ecdsa-sha2-nistp384-cert-v01 @ openssh.com,ecdsa-sha2-nistp521-cert-v01 @ openssh.com,ssh-rsa-cert-v01 @ openssh.com,ssh-dss-cert-v01 @ openssh.com,ssh-rsa-cert-v00 @ openssh.com,ssh-dss-cert-v00 @ openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: mac_setup: found hmac-md5-etm @ openssh.com [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: client->server aes128-ctr hmac-md5-etm @ openssh.com none [preauth]
SSH: Server;Ltype: Kex;Remote: 2001:4ba0:ffff:138:1::120-59012;Enc: aes128-ctr;MAC: hmac-md5-etm @ openssh.com;Comp: none [preauth]
debug2: mac_setup: found hmac-md5-etm @ openssh.com [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: server->client aes128-ctr hmac-md5-etm @ openssh.com none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0xe5ca1f6cb20(99)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user test service ssh-connection method none [preauth]
SSH: Server;Ltype: Authname;Remote: 2001:4ba0:ffff:138:1::120-59012;Name: test [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 2001:4ba0:ffff:138:1::120.
debug2: parse_server_config: config reprocess config len 446
debug1: Config token is loglevel
debug1: Config token is passwordauthentication
debug1: Config token is kerberosauthentication
debug1: Config token is kerberosticketcleanup
debug1: Config token is gssapiauthentication
debug1: Config token is gssapicleanupcredentials
debug1: Config token is usepam
debug1: Config token is printmotd
debug1: Config token is printlastlog
debug1: Config token is useprivilegeseparation
debug1: Config token is usedns
debug1: Config token is subsystem
debug1: Config token is acceptenv
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for test [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-with-mic,keyboard-interactive" [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "test"
debug1: PAM: setting PAM_RHOST to "2001:4ba0:ffff:138:1::120"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user test service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 1117

And here the one of ssh -vvv -p 2222 mail:

OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mail [2001:4ba0:ffff:138:1::110] port 2222.
debug1: Connection established.
debug1: identity file /home/test/.ssh/id_rsa type -1
debug1: identity file /home/test/.ssh/id_rsa-cert type -1
debug1: identity file /home/test/.ssh/id_dsa type -1
debug1: identity file /home/test/.ssh/id_dsa-cert type -1
debug1: identity file /home/test/.ssh/id_ecdsa type -1
debug1: identity file /home/test/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4p1-hpn14v2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4p1-hpn14v2
debug1: match: OpenSSH_6.4p1-hpn14v2 pat OpenSSH*
debug2: fd 6 setting O_NONBLOCK
debug3: put_host_port: [mail]:2222
debug3: load_hostkeys: loading entries for host "[mail]:2222" from file "/home/test/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 @ openssh.com,ecdsa-sha2-nistp384-cert-v01 @ openssh.com,ecdsa-sha2-nistp521-cert-v01 @ openssh.com,ssh-rsa-cert-v01 @ openssh.com,ssh-dss-cert-v01 @ openssh.com,ssh-rsa-cert-v00 @ openssh.com,ssh-dss-cert-v00 @ openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib @ openssh.com
debug2: kex_parse_kexinit: none,zlib @ openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5-etm @ openssh.com
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5-etm @ openssh.com none
debug2: mac_setup: found hmac-md5-etm @ openssh.com
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5-etm @ openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA c4:8d:ac:f8:b5:40:93:74:28:22:b4:92:a1:83:c4:4f
debug3: put_host_port: [2001:4ba0:ffff:138:1::110]:2222
debug3: put_host_port: [mail]:2222
debug3: load_hostkeys: loading entries for host "[mail]:2222" from file "/home/test/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "[2001:4ba0:ffff:138:1::110]:2222" from file "/home/test/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: checking without port identifier
debug3: load_hostkeys: loading entries for host "mail" from file "/home/test/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/test/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "2001:4ba0:ffff:138:1::110" from file "/home/test/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/test/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'mail' is known and matches the ECDSA host key.
debug1: Found key in /home/test/.ssh/known_hosts:2
debug1: found matching key w/out port
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/test/.ssh/id_rsa ((nil)),
debug2: key: /home/test/.ssh/id_dsa ((nil)),
debug2: key: /home/test/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 2001:4ba0:ffff:138:1::110.
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information


debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 2001:4ba0:ffff:138:1::110


There seems to be a problem when identifying the servers against the
KDC database, but that is only guessing....as I said I am not very
familiar with kerberos at all.

Perhaps someone here can hint me what I am doing wrong.

best regards
   Georg Hopp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140218/b7f9cb8c/attachment.pgp>

More information about the samba-technical mailing list