samba4 success/failure report...all's working despite kerberized ssh

Sumit Bose sbose at
Wed Feb 19 01:48:01 MST 2014

On Wed, Feb 19, 2014 at 08:33:26AM +0000, Georg Hopp wrote:
> Hi again,
> first of all thank for the very quick responses and valuable hints.
> Sadly it is still not working although the problem has changed
> slightly... and for me it has become more puzzling.
> @Chan Min Wai:
> I've browsed that page. To me it seems not related to my current problem.
> I have sssd working, I can log into accounts stored into the AD on
> the linux boxes. What I want to achive now is ssh into the other machine
> with the kerberos tickit I already have, so that I don't have to enter
> the pasword again. I cannot find hints about this on this page.
> @steve and Summit:
> I was now able to add mail and www via a samba3 net ads join to the
> directory. And both look now like this:

did you remove the old keytab on mail before joining? Because typically
only new entries are added to a keytab but old ones are rarely removed.
Additionally I'm not sure if sshd looks for keytab entries starting with
HOST/... as well or only for host/...?

If you are using a recent MIT Kerberos version on the client you might
want to try

KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222

which might give more details about what libkrb5 on the client tries to


> dn: CN=www,CN=Computers,DC=weird-web-workers,DC=org
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: www
> instanceType: 4
> whenCreated: 20140218214927.0Z
> uSNCreated: 4104
> name: www
> objectGUID:: APdi+TjNzkqRGt/4C3Mvdw==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> objectSid:: AQUAAAAAAAUVAAAAzo8nYOqz+xu+M/h4WgQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: www$
> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=weird-web-workers,DC
>  =org
> sAMAccountType: 805306369
> isCriticalSystemObject: FALSE
> primaryGroupID: 515
> pwdLastSet: 130372337690000000
> dNSHostName:
> servicePrincipalName: HOST/WWW
> servicePrincipalName: HOST/
> userAccountControl: 593920
> whenChanged: 20140218220825.0Z
> uSNChanged: 4110
> distinguishedName: CN=www,CN=Computers,DC=weird-web-workers,DC=org
> so, they have at least the servicePrincipalName entry now.
> Anyway, after I managed this the problem was still the same.
> After that I checked my DNS setting again, because it seemed that the host
> was not found. I realized that the reverse lookup for the ipv6 addresses
> are not working...anyway, I configured the PTR entries for them,
> This is the samba4 internal DNS.
> Never mind, luckily i've configured the hosts also with an ipv4
> address and the ipv4 reverse lookup worked.
> So I tried to force ssh to use ipv4. But now the server side log looks
> pretty much the same as before:
> debug1: userauth-request for user test service ssh-connection method
> gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug2: input_userauth_request: try method gssapi-with-mic [preauth]
> debug1: monitor_read_log: child log fd closed
> debug3: mm_request_receive entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: Killing privsep child 5216
> and on the client ssh -vvv -4 -p 2222
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/test/.ssh/id_rsa ((nil)),
> debug2: key: /home/test/.ssh/id_dsa ((nil)),
> debug2: key: /home/test/.ssh/id_ecdsa ((nil)),
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,keyboard-interactive
> debug3: start over, passed a different list
> publickey,gssapi-with-mic,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address
> debug2: we sent a gssapi-with-mic packet, wait for reply
> Connection closed by
> So from the logs it looks as if the ssh client tries to enable the
> connection via gssapi-with-mic but the server than drops it and
> says nothing about the reason.
> I would be very thankful if anyone has further hints.
> best regards
>     Georg

More information about the samba-technical mailing list