[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Quinn Plattel qiet72 at gmail.com
Wed Jul 11 01:56:05 MDT 2012 

Hi Marcel,

On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
ii  krb5-config
2.2                                     Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
Support library
ii  libpam-krb5
4.5-3                                   PAM module for MIT Kerberos
ii  openssh-client
1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
secure access to remote machines

On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
ii  krb5-config
2.2                                     Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
Support library
ii  openssh-client
1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
secure access to remote machines
ii  openssh-server
1:5.9p1-5ubuntu1                        secure shell (SSH) server, for
secure access from remote machines
   samba Version 4.0.0beta3-GIT-UNKNOWN

Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
/etc/hosts file and have all the principals needed added to the servers
keytab file, but this is not necessary if you use the parameter.
With the parameter, the only thing you need is to make sure is that on the
server /var/lib/samba/secrets.keytab is copied or linked to
/etc/krb5.keytab (sshd looks for it).  You can use the keytab file as it is
without copying any extra principals into it.

You can have a very simple /etc/hosts on the client such as:
127.0.0.1    localhost
127.0.1.1    ubuntu-test

This setup probably only works for ssh kerberos. nfsv4, pam logins, and
other kerberos aware services may need strict checking.  That is my next
research project.

For ssh debugging, on the server I used -ddd for sshd and looked at both
syslog and auth.log under /var/log.  On the client, I used ssh -vvvl <user>
<server>
For kerberos samba4 debugging, start samba with "-d 5" parameter and then
"tail -f /var/log/samba/log.samba|grep Kerberos:"

br,
Quinn


On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
marcel.ritter at rrze.fau.de> wrote:

> Hi Quinn,
>
> I just tried your solution (my machine is also multi-homed). However it
> doesn't work for me. The man-page of sshd_config also states, that the
> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
> krb5 libraries.
>
> Could you please have a look at the krb5 and openssh versions you're
> using (and perhaps the linux distribution/version)?
>
> BTW: I'm running:
>          Ubuntu 12.04 LTS
>         openssh-server 5.9p1-5ubuntu1
>         libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>
> auth.log mentions (during failed login):
>         Unspecified GSS failure.
>         Minor code may provide more information:
>         Wrong principal in request
>
> Thanks,
>     Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> Im Auftrag von Quinn Plattel
> Gesendet: Dienstag, 10. Juli 2012 16:08
> An: samba
> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
> samba4's kerberos GSSAPI? [Solved]
>
> Hi,
>
> I solved my ssh GSSAPI problem.  There were a lot of solutions on google
> referring to a proper fqdn in the /etc/hosts file and having the
> fqdn's/principals in the kerberos server's keytab file but I found out that
> my problem was that the samba4/kerberos server was running on a multi-homed
> machine and that the ssh server kerberos authentication needed the
> following parameter in order for it to work on multi-homed machines:
>
> GSSAPIStrictAcceptorCheck no
>
> The default is yes, using "no" will, according to the manpage "clients may
> authenticate against any service key stored in the machine's default store."
>
> I hope this helps others that have similar setups as I do.
>
> Thank you all for your input.
>
> br,
> Quinn
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list