samba4 success/failure report...all's working despite kerberized ssh

Sumit Bose sbose at redhat.com
Wed Feb 19 03:50:59 MST 2014 

On Wed, Feb 19, 2014 at 09:28:16AM +0000, Georg Hopp wrote:
> On Wed, Feb 19, 2014 at 09:15:33AM +0000, Georg Hopp wrote:
> > On Wed, Feb 19, 2014 at 09:48:01AM +0100, Sumit Bose wrote:
> > > did you remove the old keytab on mail before joining? Because typically
> > > only new entries are added to a keytab but old ones are rarely removed.
> > > Additionally I'm not sure if sshd looks for keytab entries starting with
> > > HOST/... as well or only for host/...?
> > > 
> > > If you are using a recent MIT Kerberos version on the client you might
> > > want to try
> > > 
> > > KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
> > > 
> > > which might give more details about what libkrb5 on the client tries to
> > > do.
> > > 
> > > bye,
> > > Sumit
> > > 
> > 
> > KRB5_TRACE=/dev/stdout ssh -vvv -4 -p 2222 mail.weird-web-workers.org
> > shows the following additional information:
> > 
> > debug1: Next authentication method: gssapi-with-mic
> > debug3: Trying to reverse map address 192.168.120.11.
> > [6627] 1392800690.87546: Convert service host (service with host as instance) on host mail to principal
> > [6627] 1392800690.88107: Remote host after forward canonicalization: mail.weird-web-workers.org
> > [6627] 1392800690.88338: Remote host after reverse DNS processing: mail.weird-web-workers.org
> > [6627] 1392800690.88369: Got service principal host/mail.weird-web-workers.org@
> > [6627] 1392800690.88654: ccselect can't find appropriate cache for server principal host/mail.weird-web-workers.org@
> > [6627] 1392800690.88715: Getting credentials test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ using ccache FILE:/tmp/krb5cc_2000_AcQLHy
> > [6627] 1392800690.88787: Retrieving test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_AcQLHy with result: 0/Success
> > [6627] 1392800690.88859: Creating authenticator for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@, seqnum 336746704, subkey rc4-hmac/3121, session key rc4-hmac/C24B
> > [6627] 1392800690.88875: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > Connection closed by 192.168.120.11
> > 
> > klist on www after ssh shows:
> > 
> > Ticket cache: FILE:/tmp/krb5cc_2000_AcQLHy
> > Default principal: test at WEIRD-WEB-WORKERS.ORG
> > 
> > Valid starting       Expires              Service principal
> > 02/19/2014 09:23:48  02/19/2014 19:23:48  krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG
> > 	renew until 02/20/2014 09:23:48
> > 02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org@
> > 	renew until 02/20/2014 09:23:48
> > 02/19/2014 09:24:19  02/19/2014 19:23:48  host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
> > 	renew until 02/20/2014 09:23:48
> > 
> > I am not sure how to interpret this....
> > 
> > 
> > best regards
> >    Georg
> > 
> 
> Even some more information when I first do a kdestroy:
> 
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 192.168.120.11.
> [6704] 1392801861.980120: Convert service host (service with host as instance) on host mail to principal
> [6704] 1392801861.980665: Remote host after forward canonicalization: mail.weird-web-workers.org
> [6704] 1392801861.980896: Remote host after reverse DNS processing: mail.weird-web-workers.org
> [6704] 1392801861.980943: Got service principal host/mail.weird-web-workers.org@
> [6704] 1392801861.981264: ccselect can't find appropriate cache for server principal host/mail.weird-web-workers.org@
> [6704] 1392801861.981326: Getting credentials test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ using ccache FILE:/tmp/krb5cc_2000_GI0Wur
> [6704] 1392801861.981400: Retrieving test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_GI0Wur with result: -1765328243/Matching credential not found
> [6704] 1392801861.981446: Retrying test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG with result: -1765328243/Matching credential not found
> [6704] 1392801861.981462: Server has referral realm; starting with host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
> [6704] 1392801861.981507: Retrieving test at WEIRD-WEB-WORKERS.ORG -> krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG from FILE:/tmp/krb5cc_2000_GI0Wur with result: 0/Success
> [6704] 1392801861.981526: Starting with TGT for client realm: test at WEIRD-WEB-WORKERS.ORG -> krbtgt/WEIRD-WEB-WORKERS.ORG at WEIRD-WEB-WORKERS.ORG
> [6704] 1392801861.981539: Requesting tickets for host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG, referrals on
> [6704] 1392801861.981577: Generated subkey for TGS request: rc4-hmac/FEEB
> [6704] 1392801861.981611: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
> [6704] 1392801861.981734: Encoding request body and padata into FAST request
> [6704] 1392801861.981808: Sending request (1621 bytes) to WEIRD-WEB-WORKERS.ORG
> [6704] 1392801861.981981: Initiating TCP connection to stream 192.168.120.16:88
> [6704] 1392801861.982069: Sending TCP request to stream 192.168.120.16:88
> [6704] 1392801861.985080: Received answer (1331 bytes) from stream 192.168.120.16:88
> [6704] 1392801861.985152: Response was from master KDC
> [6704] 1392801861.985176: Decoding FAST response
> [6704] 1392801861.985241: TGS reply is for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG with session key rc4-hmac/B163
> [6704] 1392801861.985277: TGS request result: 0/Success
> [6704] 1392801861.985288: Received creds for desired service host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG
> [6704] 1392801861.985304: Removing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ from FILE:/tmp/krb5cc_2000_GI0Wur
> [6704] 1392801861.985317: Storing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@ in FILE:/tmp/krb5cc_2000_GI0Wur
> [6704] 1392801861.985390: Also storing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG based on ticket
> [6704] 1392801861.985406: Removing test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.ORG from FILE:/tmp/krb5cc_2000_GI0Wur
> [6704] 1392801861.985511: Creating authenticator for test at WEIRD-WEB-WORKERS.ORG -> host/mail.weird-web-workers.org@, seqnum 247961082, subkey rc4-hmac/DCBB, session key rc4-hmac/B163
> [6704] 1392801861.985532: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
> debug2: we sent a gssapi-with-mic packet, wait for reply
> Connection closed by 192.168.120.11
> 
> 
> But still I am not able to interpret this...

This looks all good, the additional output after kdestroy is due to the
fact that the TGT must be requested here too.

Can you run sshd on mail with KRB5_TRACE as well?

bye,
Sumit

More information about the samba-technical mailing list