samba4 success/failure report...all's working despite kerberized ssh

Georg Hopp georg at steffers.org
Wed Feb 19 02:28:16 MST 2014 

On Wed, Feb 19, 2014 at 09:15:33AM +0000, Georg Hopp wrote:
> On Wed, Feb 19, 2014 at 09:48:01AM +0100, Sumit Bose wrote:
> > did you remove the old keytab on mail before joining? Because typically
> > only new entries are added to a keytab but old ones are rarely removed.
> > Additionally I'm not sure if sshd looks for keytab entries starting with
> > HOST/... as well or only for host/...?
> > 
> > If you are using a recent MIT Kerberos version on the client you might
> > want to try
> > 
> > KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
> > 
> > which might give more details about what libkrb5 on the client tries to
> > do.
> > 
> > bye,
> > Sumit
> > 
> 
> KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
> shows the following additional information:
> 
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 192.168.120.11.
> [6627] 1392800690.87546: Convert service host (service with host as instance) on host mail to principal
> [6627] 1392800690.88107: Remote host after forward canonicalization: mail.weird-web-workers.org
> [6627] 1392800690.88338: Remote host after reverse DNS processing: mail.weird-web-workers.org
> [6627] 1392800690.88369: Got service principal host/mail.weird-web-workers.org@
> [6627] 1392800690.88654: ccselect can't find appropriate cache for server principal host/mail.weird-web-workers.org@
> [6627] 1392800690.88715: Getting credentials test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ using ccache FILE:/tmp/krb5cc_2000_AcQLHy
> [6627] 1392800690.88787: Retrieving test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_AcQLHy with result: 0/Success
> [6627] 1392800690.88859: Creating authenticator for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@, seqnum 336746704, subkey rc4-hmac/3121, session key rc4-hmac/C24B
> [6627] 1392800690.88875: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
> debug2: we sent a gssapi-with-mic packet, wait for reply
> Connection closed by 192.168.120.11
> 
> klist on www after ssh shows:
> 
> Ticket cache: FILE:/tmp/krb5cc_2000_AcQLHy
> Default principal: test at WEIRD-WEB-WORKERS.ORG
> 
> Valid starting       Expires              Service principal
> 02/19/2014 09:23:48  02/19/2014 19:23:48  krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG
> 	renew until 02/20/2014 09:23:48
> 02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org@
> 	renew until 02/20/2014 09:23:48
> 02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
> 	renew until 02/20/2014 09:23:48
> 
> I am not sure how to interpret this....
> 
> 
> best regards
>    Georg
> 

Even some more information when I first do a kdestroy:

debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.168.120.11.
[6704] 1392801861.980120: Convert service host (service with host as instance) on host mail to principal
[6704] 1392801861.980665: Remote host after forward canonicalization: mail.weird-web-workers.org
[6704] 1392801861.980896: Remote host after reverse DNS processing: mail.weird-web-workers.org
[6704] 1392801861.980943: Got service principal host/mail.weird-web-workers.org@
[6704] 1392801861.981264: ccselect can't find appropriate cache for server principal host/mail.weird-web-workers.org@
[6704] 1392801861.981326: Getting credentials test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ using ccache FILE:/tmp/krb5cc_2000_GI0Wur
[6704] 1392801861.981400: Retrieving test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_GI0Wur with result: -1765328243/Matching credential not found
[6704] 1392801861.981446: Retrying test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG with result: -1765328243/Matching credential not found
[6704] 1392801861.981462: Server has referral realm; starting with host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
[6704] 1392801861.981507: Retrieving test at WEIRD-WEB-WORKERS.ORG -> krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG from FILE:/tmp/krb5cc_2000_GI0Wur with result: 0/Success
[6704] 1392801861.981526: Starting with TGT for client realm: test at WEIRD-WEB-WORKERS.ORG -> krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG
[6704] 1392801861.981539: Requesting tickets for host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG, referrals on
[6704] 1392801861.981577: Generated subkey for TGS request: rc4-hmac/FEEB
[6704] 1392801861.981611: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[6704] 1392801861.981734: Encoding request body and padata into FAST request
[6704] 1392801861.981808: Sending request (1621 bytes) to WEIRD-WEB-WORKERS.ORG
[6704] 1392801861.981981: Initiating TCP connection to stream 192.168.120.16:88
[6704] 1392801861.982069: Sending TCP request to stream 192.168.120.16:88
[6704] 1392801861.985080: Received answer (1331 bytes) from stream 192.168.120.16:88
[6704] 1392801861.985152: Response was from master KDC
[6704] 1392801861.985176: Decoding FAST response
[6704] 1392801861.985241: TGS reply is for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG with session key rc4-hmac/B163
[6704] 1392801861.985277: TGS request result: 0/Success
[6704] 1392801861.985288: Received creds for desired service host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
[6704] 1392801861.985304: Removing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_GI0Wur
[6704] 1392801861.985317: Storing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ in FILE:/tmp/krb5cc_2000_GI0Wur
[6704] 1392801861.985390: Also storing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG based on ticket
[6704] 1392801861.985406: Removing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG from FILE:/tmp/krb5cc_2000_GI0Wur
[6704] 1392801861.985511: Creating authenticator for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@, seqnum 247961082, subkey rc4-hmac/DCBB, session key rc4-hmac/B163
[6704] 1392801861.985532: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by 192.168.120.11


But still I am not able to interpret this...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140219/9085781d/attachment.pgp>

More information about the samba-technical mailing list