samba4 success/failure report...all's working despite kerberized ssh
Georg Hopp
georg at steffers.org
Thu Feb 20 02:46:38 MST 2014
On Wed, Feb 19, 2014 at 12:09:32PM +0000, Georg Hopp wrote:
> On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote:
> >
> > This looks all good, the additional output after kdestroy is due to the
> > fact that the TGT must be requested here too.
> >
> > Can you run sshd on mail with KRB5_TRACE as well?
> >
> > bye,
> > Sumit
> >
>
> KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
>
> I am sorry, this does not reveal any new messages...
>
> but I think kerberos authentication is active:
OK, I have no more idea...
I also added a .k5login file in the users homedir in the server.
Content was only one line:
test at WEIRD-WEB-WORKERS.ORG
But this hasen't helped either. If I understand the use of .k5login
correct it's purpose is for mappings if the username within the
directory is not the same as on the system, e.g. if I want to
let test log into an account foo on the system.
To summarize:
- The user is configured in samba4 ldap (no local user)
- Not using gssapi and use password challange works.
* It does not matter if I deactivate gssapi in the client or server,
as soon as it is deactivated I get a password challange and can
log in.
- As soon as client and server are configured to use gssapi the server
closes the connection when it should process the gssapi-with-mic
package.
Hmm, this gssapi-with-mic packet should be traceable...
I could send in a tcpdump if that would be of any help but I
don't know what options to use for it to generate useful output.
Can anyone help me with this...
best regards
Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140220/d71f6284/attachment.pgp>
More information about the samba-technical
mailing list