[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Quinn Plattel qiet72 at gmail.com
Mon Jul 9 07:12:29 MDT 2012 

Hi,

I am doing some kerberos testing with samba4 using ssh.  I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI.  The client
krb5.conf contains this:

=====================================================
[libdefaults]
    default_realm = MYDOMAIN.NET

    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    dns_fallback = yes
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    MYDOMAIN.NET = {
        kdc = cofil01.mydomain.net:88
        default_domain = mydomain.net
    }

[domain_realm]
    .mydomain.net = MYDOMAIN.NET
    mydomain.net = MYDOMAIN.NET

[login]
    krb4_convert = true
    krb4_get_tickets = false
====================================================

The server side krb5.conf contains this:
====================================================
[libdefaults]
    default_realm = MYDOMAIN.NET
    dns_lookup_realm = false
    dns_lookup_kdc = true
====================================================

No kerberos errors shows up in "log.samba" on the server side even though
samba is started with "-d 5"
On the client side, I do a "kinit user" - it succeeds.
I then do a klist and it lists my current ticket for user.
Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
lines:

====================================================
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
====================================================

"hostname -f" on the client reveals:
ubuntu-test.mydomain.net

I can both forward and reverse resolve cofil01.mydomain.net on the client
side.
Is it necessary to create a /etc/krb5.keytab file on the client in order
for ssh kerberos authentication to work?


-- 
br,
Quinn

More information about the samba mailing list