[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Quinn Plattel qiet72 at gmail.com
Mon Jul 9 07:16:38 MDT 2012


Hi,

Forgot to mention that the client side's ssh configuration
(/etc/ssh/ssh_config) has the following lines:
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPITrustDns yes

The server side ssh configuration (/etc/ssh/sshd_config) has the following
lines:
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPICleanupCredentials yes

br,
Quinn


On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi,
>
> I am doing some kerberos testing with samba4 using ssh.  I have setup
> samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTOand active directory seems to be working both with Windows and Linux
> clients.
> ssh unfortunately is not kerberos authenticating via GSSAPI.  The client
> krb5.conf contains this:
>
> =====================================================
> [libdefaults]
>     default_realm = MYDOMAIN.NET
>
>     krb4_config = /etc/krb.conf
>     krb4_realms = /etc/krb.realms
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
>     dns_fallback = yes
>     default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>     default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
>     v4_instance_resolve = false
>     v4_name_convert = {
>         host = {
>             rcmd = host
>             ftp = ftp
>         }
>         plain = {
>             something = something-else
>         }
>     }
>     fcc-mit-ticketflags = true
>
> [realms]
>     MYDOMAIN.NET = {
>         kdc = cofil01.mydomain.net:88
>         default_domain = mydomain.net
>     }
>
> [domain_realm]
>     .mydomain.net = MYDOMAIN.NET
>     mydomain.net = MYDOMAIN.NET
>
> [login]
>     krb4_convert = true
>     krb4_get_tickets = false
> ====================================================
>
> The server side krb5.conf contains this:
> ====================================================
> [libdefaults]
>     default_realm = MYDOMAIN.NET
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
> ====================================================
>
> No kerberos errors shows up in "log.samba" on the server side even though
> samba is started with "-d 5"
> On the client side, I do a "kinit user" - it succeeds.
> I then do a klist and it lists my current ticket for user.
> Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
> lines:
>
> ====================================================
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> ====================================================
>
> "hostname -f" on the client reveals:
> ubuntu-test.mydomain.net
>
> I can both forward and reverse resolve cofil01.mydomain.net on the client
> side.
> Is it necessary to create a /etc/krb5.keytab file on the client in order
> for ssh kerberos authentication to work?
>
>
> --
> br,
> Quinn
>


More information about the samba mailing list