[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Quinn Plattel
qiet72 at gmail.com
Mon Jul 9 07:12:29 MDT 2012
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
=====================================================
[libdefaults]
default_realm = MYDOMAIN.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_fallback = yes
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.NET = {
kdc = cofil01.mydomain.net:88
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
[login]
krb4_convert = true
krb4_get_tickets = false
====================================================
The server side krb5.conf contains this:
====================================================
[libdefaults]
default_realm = MYDOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = true
====================================================
No kerberos errors shows up in "log.samba" on the server side even though
samba is started with "-d 5"
On the client side, I do a "kinit user" - it succeeds.
I then do a klist and it lists my current ticket for user.
Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
lines:
====================================================
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
====================================================
"hostname -f" on the client reveals:
ubuntu-test.mydomain.net
I can both forward and reverse resolve cofil01.mydomain.net on the client
side.
Is it necessary to create a /etc/krb5.keytab file on the client in order
for ssh kerberos authentication to work?
--
br,
Quinn
More information about the samba
mailing list