[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Quinn Plattel qiet72 at gmail.com
Tue Jul 10 02:07:30 MDT 2012 

Hi,

Ok, I managed to find some more debugging info.

When I kinit on the client, log.samba on the server reports (I put spaces
around every "@" so that the list does not interpret them as e-mail
addresses):

  Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51790 for
krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: 149
  Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- user @
MYDOMAIN.NET
  Kerberos: AS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:34138 for
krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: Client sent patypes: encrypted-timestamp, 149
  Kerberos: Looking for PKINIT pa-data -- user @ MYDOMAIN.NET
  Kerberos: Looking for ENC-TS pa-data -- user @ MYDOMAIN.NET
  Kerberos: ENC-TS Pre-authentication succeeded -- user @
MYDOMAIN.NETusing arcfour-hmac-md5
  Kerberos: AS-REQ authtime: 2012-07-10T09:53:20 starttime: unset endtime:
2012-07-10T19:53:20 renew till: 2012-07-11T09:53:11
  Kerberos: Client supported enctypes: arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
  Kerberos: Requested flags: renewable-ok, proxiable, forwardable

Then when I try to ssh to the server, log.samba reports:
  Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:51485 for host/
cofil01.mydomain.net @ MYDOMAIN.NET [canonicalize, renewable, proxiable,
forwardable]
  Kerberos: TGS-REQ authtime: 2012-07-10T09:53:20 starttime:
2012-07-10T09:53:39 endtime: 2012-07-10T19:53:20 renew till:
2012-07-11T09:53:11

and ssh just reports:
 debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
 debug2: we sent a gssapi-with-mic packet, wait for reply
 debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
 debug2: we did not send a packet, disable method

If I repeat the ssh command, nothing pops up in log.samba unless I kinit
again.  When looking at the log.samba file, it looks like ssh GSSAPI
succeeded but ssh thinks differently.

br,
Quinn

More information about the samba mailing list