samba4 success/failure report...all's working despite kerberized ssh

Georg Hopp georg at
Wed Feb 19 01:33:26 MST 2014

Hi again,

first of all thank for the very quick responses and valuable hints.
Sadly it is still not working although the problem has changed
slightly... and for me it has become more puzzling.

@Chan Min Wai:

I've browsed that page. To me it seems not related to my current problem.
I have sssd working, I can log into accounts stored into the AD on
the linux boxes. What I want to achive now is ssh into the other machine
with the kerberos tickit I already have, so that I don't have to enter
the pasword again. I cannot find hints about this on this page.

@steve and Summit:

I was now able to add mail and www via a samba3 net ads join to the
directory. And both look now like this:

dn: CN=www,CN=Computers,DC=weird-web-workers,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: www
instanceType: 4
whenCreated: 20140218214927.0Z
uSNCreated: 4104
name: www
objectGUID:: APdi+TjNzkqRGt/4C3Mvdw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid:: AQUAAAAAAAUVAAAAzo8nYOqz+xu+M/h4WgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: www$
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=weird-web-workers,DC
sAMAccountType: 805306369
isCriticalSystemObject: FALSE
primaryGroupID: 515
pwdLastSet: 130372337690000000
servicePrincipalName: HOST/WWW
servicePrincipalName: HOST/
userAccountControl: 593920
whenChanged: 20140218220825.0Z
uSNChanged: 4110
distinguishedName: CN=www,CN=Computers,DC=weird-web-workers,DC=org

so, they have at least the servicePrincipalName entry now.
Anyway, after I managed this the problem was still the same.

After that I checked my DNS setting again, because it seemed that the host
was not found. I realized that the reverse lookup for the ipv6 addresses
are not working...anyway, I configured the PTR entries for them,
This is the samba4 internal DNS.
Never mind, luckily i've configured the hosts also with an ipv4
address and the ipv4 reverse lookup worked.

So I tried to force ssh to use ipv4. But now the server side log looks
pretty much the same as before:

debug1: userauth-request for user test service ssh-connection method
gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 5216

and on the client ssh -vvv -4 -p 2222

debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/test/.ssh/id_rsa ((nil)),
debug2: key: /home/test/.ssh/id_dsa ((nil)),
debug2: key: /home/test/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue:
debug3: start over, passed a different list
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by

So from the logs it looks as if the ssh client tries to enable the
connection via gssapi-with-mic but the server than drops it and
says nothing about the reason.

I would be very thankful if anyone has further hints.

best regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list