samba4 success/failure report...all's working despite kerberized ssh

Georg Hopp georg at steffers.org
Wed Feb 19 02:15:33 MST 2014 

On Wed, Feb 19, 2014 at 09:48:01AM +0100, Sumit Bose wrote:
> did you remove the old keytab on mail before joining? Because typically
> only new entries are added to a keytab but old ones are rarely removed.
> Additionally I'm not sure if sshd looks for keytab entries starting with
> HOST/... as well or only for host/...?
> 
> If you are using a recent MIT Kerberos version on the client you might
> want to try
> 
> KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
> 
> which might give more details about what libkrb5 on the client tries to
> do.
> 
> bye,
> Sumit
> 

Thanks, Sumit!

Yes, i completely removed the old keytab.

Here is what klist -k -t -e gives me on mail:

   1 02/18/2014 22:51:16 mail$@WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:51:16 mail$@WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:51:16 mail$@WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:51:58 MAIL$@WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:51:58 MAIL$@WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:51:58 MAIL$@WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:52:08 host/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:52:08 host/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:52:08 host/mail at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:52:16 host/MAIL at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:52:16 host/MAIL at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:52:16 host/MAIL at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:52:32 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:52:32 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:52:32 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:52:57 host/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:52:57 host/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:52:57 host/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:53:10 HOST/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:53:10 HOST/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:53:10 HOST/mail at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:53:18 HOST/MAIL at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:53:18 HOST/MAIL at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:53:18 HOST/MAIL at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:53:31 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:53:31 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:53:31 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG (arcfour-hmac) 
   1 02/18/2014 22:53:40 HOST/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG (des-cbc-crc) 
   1 02/18/2014 22:53:40 HOST/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG (des-cbc-md5) 
   1 02/18/2014 22:53:40 HOST/MAIL.WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG 

KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
shows the following additional information:

debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.120.11.
[6627] 1392800690.87546: Convert service host (service with host as instance) on host mail to principal
[6627] 1392800690.88107: Remote host after forward canonicalization: mail.weird-web-workers.org
[6627] 1392800690.88338: Remote host after reverse DNS processing: mail.weird-web-workers.org
[6627] 1392800690.88369: Got service principal host/mail.weird-web-workers.org@
[6627] 1392800690.88654: ccselect can't find appropriate cache for server principal host/mail.weird-web-workers.org@
[6627] 1392800690.88715: Getting credentials test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ using ccache FILE:/tmp/krb5cc_2000_AcQLHy
[6627] 1392800690.88787: Retrieving test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_AcQLHy with result: 0/Success
[6627] 1392800690.88859: Creating authenticator for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@, seqnum 336746704, subkey rc4-hmac/3121, session key rc4-hmac/C24B
[6627] 1392800690.88875: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 192.168.120.11

klist on www after ssh shows:

Ticket cache: FILE:/tmp/krb5cc_2000_AcQLHy
Default principal: test at WEIRD-WEB-WORKERS.ORG

Valid starting       Expires              Service principal
02/19/2014 09:23:48  02/19/2014 19:23:48  krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG
	renew until 02/20/2014 09:23:48
02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org@
	renew until 02/20/2014 09:23:48
02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
	renew until 02/20/2014 09:23:48

I am not sure how to interpret this....


best regards
   Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140219/d87bc106/attachment.pgp>

More information about the samba-technical mailing list