samba4 success/failure report...all's working despite kerberized ssh

Georg Hopp georg at
Thu Feb 20 02:46:38 MST 2014

On Wed, Feb 19, 2014 at 12:09:32PM +0000, Georg Hopp wrote:
> On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote:
> > 
> > This looks all good, the additional output after kdestroy is due to the
> > fact that the TGT must be requested here too.
> > 
> > Can you run sshd on mail with KRB5_TRACE as well?
> > 
> > bye,
> > Sumit
> > 
> KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
> I am sorry, this does not reveal any new messages...
> but I think kerberos authentication is active:

OK, I have no more idea...

I also added a .k5login file in the users homedir in the server.
Content was only one line:


But this hasen't helped either. If I understand the use of .k5login
correct it's purpose is for mappings if the username within the
directory is not the same as on the system, e.g. if I want to
let test log into an account foo on the system.

To summarize:

- The user is configured in samba4 ldap (no local user)
- Not using gssapi and use password challange works.
   * It does not matter if I deactivate gssapi in the client or server,
     as soon as it is deactivated I get a password challange and can
     log in.
- As soon as client and server are configured to use gssapi the server
  closes the connection when it should process the gssapi-with-mic

Hmm, this gssapi-with-mic packet should be traceable...
I could send in a tcpdump if that would be of any help but I
don't know what options to use for it to generate useful output.

Can anyone help me with this...

best regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list