[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Ritter, Marcel - RRZE marcel.ritter at rrze.fau.de
Mon Jul 9 09:17:17 MDT 2012 

Hi Quinn,

I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC,
no luck so far.

However, after joining two VMs to this domain using Samba 3, ssh
logins work between those two machines (not towards the DC).

The only relevant difference I found while searching for a solution,
were differences in the krb5.keytab: it looks like Samba4 and Samba3
create different entries there (upper/lower case differ). I don't have
the VMs up and running at the moment, but I can supply the details if
it helps to fix this problem - just let me know.

Bye,
   Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Montag, 9. Juli 2012 15:17
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Hi,

Forgot to mention that the client side's ssh configuration
(/etc/ssh/ssh_config) has the following lines:
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    GSSAPITrustDns yes

The server side ssh configuration (/etc/ssh/sshd_config) has the following
lines:
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPICleanupCredentials yes

br,
Quinn


On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi,
>
> I am doing some kerberos testing with samba4 using ssh.  I have setup
> samba4 using the howto at 
> http://wiki.samba.org/index.php/Samba4/HOWTOand active directory seems to be working both with Windows and Linux clients.
> ssh unfortunately is not kerberos authenticating via GSSAPI.  The 
> client krb5.conf contains this:
>
> =====================================================
> [libdefaults]
>     default_realm = MYDOMAIN.NET
>
>     krb4_config = /etc/krb.conf
>     krb4_realms = /etc/krb.realms
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
>     dns_fallback = yes
>     default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>     default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
>     v4_instance_resolve = false
>     v4_name_convert = {
>         host = {
>             rcmd = host
>             ftp = ftp
>         }
>         plain = {
>             something = something-else
>         }
>     }
>     fcc-mit-ticketflags = true
>
> [realms]
>     MYDOMAIN.NET = {
>         kdc = cofil01.mydomain.net:88
>         default_domain = mydomain.net
>     }
>
> [domain_realm]
>     .mydomain.net = MYDOMAIN.NET
>     mydomain.net = MYDOMAIN.NET
>
> [login]
>     krb4_convert = true
>     krb4_get_tickets = false
> ====================================================
>
> The server side krb5.conf contains this:
> ====================================================
> [libdefaults]
>     default_realm = MYDOMAIN.NET
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
> ====================================================
>
> No kerberos errors shows up in "log.samba" on the server side even 
> though samba is started with "-d 5"
> On the client side, I do a "kinit user" - it succeeds.
> I then do a klist and it lists my current ticket for user.
> Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
> lines:
>
> ====================================================
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method 
> ====================================================
>
> "hostname -f" on the client reveals:
> ubuntu-test.mydomain.net
>
> I can both forward and reverse resolve cofil01.mydomain.net on the 
> client side.
> Is it necessary to create a /etc/krb5.keytab file on the client in 
> order for ssh kerberos authentication to work?
>
>
> --
> br,
> Quinn
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list