[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Quinn Plattel
qiet72 at gmail.com
Mon Jul 9 07:16:38 MDT 2012
Hi,
Forgot to mention that the client side's ssh configuration
(/etc/ssh/ssh_config) has the following lines:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes
The server side ssh configuration (/etc/ssh/sshd_config) has the following
lines:
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
br,
Quinn
On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
> Hi,
>
> I am doing some kerberos testing with samba4 using ssh. I have setup
> samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTOand active directory seems to be working both with Windows and Linux
> clients.
> ssh unfortunately is not kerberos authenticating via GSSAPI. The client
> krb5.conf contains this:
>
> =====================================================
> [libdefaults]
> default_realm = MYDOMAIN.NET
>
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_fallback = yes
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> MYDOMAIN.NET = {
> kdc = cofil01.mydomain.net:88
> default_domain = mydomain.net
> }
>
> [domain_realm]
> .mydomain.net = MYDOMAIN.NET
> mydomain.net = MYDOMAIN.NET
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> ====================================================
>
> The server side krb5.conf contains this:
> ====================================================
> [libdefaults]
> default_realm = MYDOMAIN.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ====================================================
>
> No kerberos errors shows up in "log.samba" on the server side even though
> samba is started with "-d 5"
> On the client side, I do a "kinit user" - it succeeds.
> I then do a klist and it lists my current ticket for user.
> Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
> lines:
>
> ====================================================
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> ====================================================
>
> "hostname -f" on the client reveals:
> ubuntu-test.mydomain.net
>
> I can both forward and reverse resolve cofil01.mydomain.net on the client
> side.
> Is it necessary to create a /etc/krb5.keytab file on the client in order
> for ssh kerberos authentication to work?
>
>
> --
> br,
> Quinn
>
More information about the samba
mailing list