samba4 success/failure report...all's working despite kerberized ssh
Georg Hopp
georg at steffers.org
Sat Feb 22 10:10:08 MST 2014
Hi,
I found the solution for my openssh/gssapi problem.
I had UsePrivilegeSeparation set to sandbox, which seems the
default with new gentoo installations and it does not work
with gssapi authentication.
I switched it to no, to do some debugging on sshd itself and
could logon without any problem. Then I switched it to yes and
it still works. I guess that sandbox does some kind of chroot
which then prevents gssapi from reading the krb5.keytab file.
I will report that to openssh, maybe it could be fixed by
initializing the gssapi before the sandbox applied or at least
sshd should give a message when in debug mode that this
combination does not work.
I will also write a report to gentoo, so that they can add this
fact to their sshd and kerberos documentation.
Thanks again for the fast help. Now I have everything working
as I wanted. Well despite that fact that I am still not able
to get IPv6 reverse lookups working with the samba integrated
DNS server.
best regards
Georg Hopp
On Tue, Feb 18, 2014 at 01:13:53PM +0000, Georg Hopp wrote:
> Hi,
>
> this is my success and failure report of installing samba 4.1.4
> as an account management and authentication system for a heterogenous
> computer network consisting of linux servers and linux/windows
> user workstations.
>
> The linux systems run under an up to date gentoo and the one windows
> machine is a Windows7 professional.
>
> All these machines are bridged to the same network. Some are connected
> via openvpn. Currently these run on a dual stack IPv4 and IPv6.
> In this report I fokus on the samba machine (DC), the Windows machine
> and two further linux machines (www and mail).
>
> First I created as dedicated machine for the DC. The installed samba
> using portage and followed the instructions on
>
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO.
>
> I use the internal samba DNS as this was the easiest solution for the
> moment. The installation worked without any trouble at all. I was able
> to add the windows machine to the domain.
> I installed the Windows Remote Administration Tools on the Windows and
> added a user test as well as some linux machines (www and mail) with them.
> I also configured the DNS entries for these linux machines.
>
> Here is the current domain configuration:
>
> Forest : weird-web-workers.org
> Domain : weird-web-workers.org
> Netbios domain : WWWORKERS
> DC name : samba.weird-web-workers.org
> DC netbios name : SAMBA
> Server site : Default-First-Site-Name
> Client site : Default-First-Site-Name
>
> The next goal was to be able to log into the linux machines with this
> test user.
>
> I followed the instructions under
>
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>
> First I only managed to use plain ldap authentication until I realized that
> I need a kerberized openldap to get the kerberized LDAP authentication
> working. This seems to be a flow with the gentoo linux sssd useflags.
> After I added kerberos support to my openldap installation everything worked
> as described on that page.
>
> Now I wanted to use the samba4 as a KDC for kerberized ssh authentication
> (with a TGT). I am not very experienced with kerberos at all and I still
> haven't got it working.
>
> Anyway here are the things I did:
>
> - export a keytab for the principals mail$, MAIL$, host/mail, HOST/mail,
> host/mail.wierd-web-workers.org and HOST/mail.weird-web-workers.org
> and saved it as /etc/krb5.keytab on mail.
> - the same for www.
> - make sure openssh is build with kerberos support on both mail and www.
> - add the following configuration options to sshd_config on both hosts:
> * KerberosAuthentication yes
> * KerberosTicketCleanup yes
> * GSSAPIAuthentication yes
> * GSSAPICleanupCredentials yes
> * UseDNS yes
> - add the following configuration options to ssh_config on both hosts:
> * RSAAuthentication yes
> * PasswordAuthentication yes
> * GSSAPITrustDns yes
> - add "kerberos method = secrets and keytab" to the DC smb.conf
> - reload samba config on DC and restart sshd on www and mail
>
> Another note... samba, www and mail are lxc container on the same host.
> So the time on them is in perfect sync.
> Also I am able to forward and reverse lookup each of them from each of
> them. They all use the samba DNS for name resolving.
>
> Next I login from my workstation to www as the user test. The login
> succeeds and I have a TGT afterwords.
>
> Ticket cache: FILE:/tmp/krb5cc_2000_Nc0h9d
> Default principal: test @ WEIRD-WEB-WORKERS.ORG
>
> Valid starting Expires Service principal
> 02/18/2014 13:42:07 02/18/2014 23:42:07 krbtgt/WEIRD-WEB-WORKERS.ORG @ WEIRD-WEB-WORKERS.ORG
> renew until 02/19/2014 13:42:07
>
> This ticket renews with every login from my workstation. But when I now try
> to ssh into mail I got a strange behaviour. It seems that the sshd on
> mail simply stops...
>
> Here is the output of /usr/sbin/sshd -ddd -p 2222:
>
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 8 config len 446
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 2001:4ba0:ffff:138:1::120 port 59012
> debug1: HPN Disabled: 0, HPN Buffer Size: 87380
> debug1: Client protocol version 2.0; client software version OpenSSH_6.4p1-hpn14v2
> SSH: Server;Ltype: Version;Remote: 2001:4ba0:ffff:138:1::120-59012;Protocol: 2.0;Client: OpenSSH_6.4p1-hpn14v2
> debug1: match: OpenSSH_6.4p1-hpn14v2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.4p1-hpn14v2
> debug2: fd 3 setting O_NONBLOCK
> debug3: ssh_sandbox_init: preparing seccomp filter sandbox
> debug2: Network child is on pid 1117
> debug3: preauth child monitor started
> debug3: privsep user:group 22:22 [preauth]
> debug1: permanently_set_uid: 22/22 [preauth]
> debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
> debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
> debug1: MYFLAG IS 1 [preauth]
> debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: SSH2_MSG_KEXINIT received [preauth]
> debug1: AUTH STATE IS 0 [preauth]
> debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: none,zlib @ openssh.com [preauth]
> debug2: kex_parse_kexinit: none,zlib @ openssh.com [preauth]
> debug2: kex_parse_kexinit: [preauth]
> debug2: kex_parse_kexinit: [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
> debug2: kex_parse_kexinit: reserved 0 [preauth]
> debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
> debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 @ openssh.com,ecdsa-sha2-nistp384-cert-v01 @ openssh.com,ecdsa-sha2-nistp521-cert-v01 @ openssh.com,ssh-rsa-cert-v01 @ openssh.com,ssh-dss-cert-v01 @ openssh.com,ssh-rsa-cert-v00 @ openssh.com,ssh-dss-cert-v00 @ openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib [preauth]
> debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib [preauth]
> debug2: kex_parse_kexinit: [preauth]
> debug2: kex_parse_kexinit: [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
> debug2: kex_parse_kexinit: reserved 0 [preauth]
> debug2: mac_setup: found hmac-md5-etm @ openssh.com [preauth]
> debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
> debug1: kex: client->server aes128-ctr hmac-md5-etm @ openssh.com none [preauth]
> SSH: Server;Ltype: Kex;Remote: 2001:4ba0:ffff:138:1::120-59012;Enc: aes128-ctr;MAC: hmac-md5-etm @ openssh.com;Comp: none [preauth]
> debug2: mac_setup: found hmac-md5-etm @ openssh.com [preauth]
> debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
> debug1: kex: server->client aes128-ctr hmac-md5-etm @ openssh.com none [preauth]
> debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
> debug3: mm_key_sign entering [preauth]
> debug3: mm_request_send entering: type 6 [preauth]
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
> debug3: mm_request_receive_expect entering: type 7 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 6
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 0xe5ca1f6cb20(99)
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug2: kex_derive_keys [preauth]
> debug2: set_newkeys: mode 1 [preauth]
> debug1: SSH2_MSG_NEWKEYS sent [preauth]
> debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> debug2: set_newkeys: mode 0 [preauth]
> debug1: SSH2_MSG_NEWKEYS received [preauth]
> debug1: KEX done [preauth]
> debug1: userauth-request for user test service ssh-connection method none [preauth]
> SSH: Server;Ltype: Authname;Remote: 2001:4ba0:ffff:138:1::120-59012;Name: test [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug3: mm_getpwnamallow entering [preauth]
> debug3: mm_request_send entering: type 8 [preauth]
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
> debug3: mm_request_receive_expect entering: type 9 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 8
> debug3: mm_answer_pwnamallow
> debug3: Trying to reverse map address 2001:4ba0:ffff:138:1::120.
> debug2: parse_server_config: config reprocess config len 446
> debug1: Config token is loglevel
> debug1: Config token is passwordauthentication
> debug1: Config token is kerberosauthentication
> debug1: Config token is kerberosticketcleanup
> debug1: Config token is gssapiauthentication
> debug1: Config token is gssapicleanupcredentials
> debug1: Config token is usepam
> debug1: Config token is printmotd
> debug1: Config token is printlastlog
> debug1: Config token is useprivilegeseparation
> debug1: Config token is usedns
> debug1: Config token is subsystem
> debug1: Config token is acceptenv
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 9
> debug2: monitor_read: 8 used once, disabling now
> debug2: input_userauth_request: setting up authctxt for test [preauth]
> debug3: mm_start_pam entering [preauth]
> debug3: mm_request_send entering: type 100 [preauth]
> debug3: mm_inform_authserv entering [preauth]
> debug3: mm_request_send entering: type 4 [preauth]
> debug2: input_userauth_request: try method none [preauth]
> debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-with-mic,keyboard-interactive" [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 100
> debug1: PAM: initializing for "test"
> debug1: PAM: setting PAM_RHOST to "2001:4ba0:ffff:138:1::120"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 100 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 4
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 4 used once, disabling now
> debug1: userauth-request for user test service ssh-connection method gssapi-with-mic [preauth]
> debug1: attempt 1 failures 0 [preauth]
> debug2: input_userauth_request: try method gssapi-with-mic [preauth]
> debug3: mm_request_receive entering
> debug1: do_cleanup
> debug1: PAM: cleanup
> debug3: PAM: sshpam_thread_cleanup entering
> debug1: Killing privsep child 1117
>
> And here the one of ssh -vvv -p 2222 mail:
>
> OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 20: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to mail [2001:4ba0:ffff:138:1::110] port 2222.
> debug1: Connection established.
> debug1: identity file /home/test/.ssh/id_rsa type -1
> debug1: identity file /home/test/.ssh/id_rsa-cert type -1
> debug1: identity file /home/test/.ssh/id_dsa type -1
> debug1: identity file /home/test/.ssh/id_dsa-cert type -1
> debug1: identity file /home/test/.ssh/id_ecdsa type -1
> debug1: identity file /home/test/.ssh/id_ecdsa-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.4p1-hpn14v2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4p1-hpn14v2
> debug1: match: OpenSSH_6.4p1-hpn14v2 pat OpenSSH*
> debug2: fd 6 setting O_NONBLOCK
> debug3: put_host_port: [mail]:2222
> debug3: load_hostkeys: loading entries for host "[mail]:2222" from file "/home/test/.ssh/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: AUTH STATE IS 0
> debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 @ openssh.com,ecdsa-sha2-nistp384-cert-v01 @ openssh.com,ecdsa-sha2-nistp521-cert-v01 @ openssh.com,ssh-rsa-cert-v01 @ openssh.com,ssh-dss-cert-v01 @ openssh.com,ssh-rsa-cert-v00 @ openssh.com,ssh-dss-cert-v00 @ openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib @ openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm @ openssh.com,aes256-gcm @ openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc @ lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5-etm @ openssh.com,hmac-sha1-etm @ openssh.com,umac-64-etm @ openssh.com,umac-128-etm @ openssh.com,hmac-sha2-256-etm @ openssh.com,hmac-sha2-512-etm @ openssh.com,hmac-ripemd160-etm @ openssh.com,hmac-sha1-96-etm @ openssh.com,hmac-md5-96-etm @ openssh.com,hmac-md5,hmac-sha1,umac-64 @ openssh.com,umac-128 @ openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 @ openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib @ openssh.com
> debug2: kex_parse_kexinit: none,zlib @ openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5-etm @ openssh.com
> debug1: REQUESTED ENC.NAME is 'aes128-ctr'
> debug1: kex: server->client aes128-ctr hmac-md5-etm @ openssh.com none
> debug2: mac_setup: found hmac-md5-etm @ openssh.com
> debug1: REQUESTED ENC.NAME is 'aes128-ctr'
> debug1: kex: client->server aes128-ctr hmac-md5-etm @ openssh.com none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA c4:8d:ac:f8:b5:40:93:74:28:22:b4:92:a1:83:c4:4f
> debug3: put_host_port: [2001:4ba0:ffff:138:1::110]:2222
> debug3: put_host_port: [mail]:2222
> debug3: load_hostkeys: loading entries for host "[mail]:2222" from file "/home/test/.ssh/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug3: load_hostkeys: loading entries for host "[2001:4ba0:ffff:138:1::110]:2222" from file "/home/test/.ssh/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug1: checking without port identifier
> debug3: load_hostkeys: loading entries for host "mail" from file "/home/test/.ssh/known_hosts"
> debug3: load_hostkeys: found key type ECDSA in file /home/test/.ssh/known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "2001:4ba0:ffff:138:1::110" from file "/home/test/.ssh/known_hosts"
> debug3: load_hostkeys: found key type ECDSA in file /home/test/.ssh/known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> debug1: Host 'mail' is known and matches the ECDSA host key.
> debug1: Found key in /home/test/.ssh/known_hosts:2
> debug1: found matching key w/out port
> debug1: ssh_ecdsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/test/.ssh/id_rsa ((nil)),
> debug2: key: /home/test/.ssh/id_dsa ((nil)),
> debug2: key: /home/test/.ssh/id_ecdsa ((nil)),
> debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive
> debug3: start over, passed a different list publickey,gssapi-with-mic,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 2001:4ba0:ffff:138:1::110.
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server not found in Kerberos database
>
> debug1: Unspecified GSS failure. Minor code may provide more information
>
>
> debug2: we sent a gssapi-with-mic packet, wait for reply
> Connection closed by 2001:4ba0:ffff:138:1::110
>
>
> There seems to be a problem when identifying the servers against the
> KDC database, but that is only guessing....as I said I am not very
> familiar with kerberos at all.
>
> Perhaps someone here can hint me what I am doing wrong.
>
> best regards
> Georg Hopp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140222/9363f5c4/attachment.pgp>
More information about the samba-technical
mailing list