[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Ritter, Marcel - RRZE marcel.ritter at rrze.fau.de
Wed Jul 11 09:24:46 MDT 2012 

Hi Quinn,

thanks for your hint: I still had an old out-of-date /etc/krb5.keytab
from a former installation of samba4 :-(

I simply copied  secrets.keytab to /etc/krb5.keytab an everything
worked as described.

I'd really be interested in your progress concerning NFS4 - I've
tried to get this working some time ago - with mixed results in
a "real" Active Directory environment, so maybe I can repay my
debt ;-)

However, doing secure NFS using Samba4 DC would be pretty
cool :-)

Bye,
   Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Mittwoch, 11. Juli 2012 10:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Btw, forgot to mention, when testing, make sure on the client you do a "kinit <user>" to get a valid ticket before doing your ssh login.  You can check if you have a valid ticket with the "klist" command.

br,
Quinn

On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi Marcel,
>
> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
> ii  krb5-config
> 2.2                                     Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
> Support library
> ii  libpam-krb5
> 4.5-3                                   PAM module for MIT Kerberos
> ii  openssh-client
> 1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
> secure access to remote machines
>
> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
> ii  krb5-config
> 2.2                                     Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1              Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1              Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2                Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1              MIT Kerberos runtime libraries -
> Support library
> ii  openssh-client
> 1:5.9p1-5ubuntu1                        secure shell (SSH) client, for
> secure access to remote machines
> ii  openssh-server
> 1:5.9p1-5ubuntu1                        secure shell (SSH) server, for
> secure access from remote machines
>    samba Version 4.0.0beta3-GIT-UNKNOWN
>
> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients 
> /etc/hosts file and have all the principals needed added to the 
> servers keytab file, but this is not necessary if you use the parameter.
> With the parameter, the only thing you need is to make sure is that on 
> the server /var/lib/samba/secrets.keytab is copied or linked to 
> /etc/krb5.keytab (sshd looks for it).  You can use the keytab file as 
> it is without copying any extra principals into it.
>
> You can have a very simple /etc/hosts on the client such as:
> 127.0.0.1    localhost
> 127.0.1.1    ubuntu-test
>
> This setup probably only works for ssh kerberos. nfsv4, pam logins, 
> and other kerberos aware services may need strict checking.  That is 
> my next research project.
>
> For ssh debugging, on the server I used -ddd for sshd and looked at 
> both syslog and auth.log under /var/log.  On the client, I used ssh 
> -vvvl <user> <server> For kerberos samba4 debugging, start samba with 
> "-d 5" parameter and then "tail -f /var/log/samba/log.samba|grep 
> Kerberos:"
>
> br,
> Quinn
>
>
>
> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE < 
> marcel.ritter at rrze.fau.de> wrote:
>
>> Hi Quinn,
>>
>> I just tried your solution (my machine is also multi-homed). However 
>> it doesn't work for me. The man-page of sshd_config also states, that 
>> the behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>> krb5 libraries.
>>
>> Could you please have a look at the krb5 and openssh versions you're 
>> using (and perhaps the linux distribution/version)?
>>
>> BTW: I'm running:
>>          Ubuntu 12.04 LTS
>>         openssh-server 5.9p1-5ubuntu1
>>         libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>
>> auth.log mentions (during failed login):
>>         Unspecified GSS failure.
>>         Minor code may provide more information:
>>         Wrong principal in request
>>
>> Thanks,
>>     Marcel
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org 
>> [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von Quinn Plattel
>> Gesendet: Dienstag, 10. Juli 2012 16:08
>> An: samba
>> Betreff: Re: [Samba] How do I get an ssh client to authenticate with 
>> samba4's kerberos GSSAPI? [Solved]
>>
>> Hi,
>>
>> I solved my ssh GSSAPI problem.  There were a lot of solutions on 
>> google referring to a proper fqdn in the /etc/hosts file and having 
>> the fqdn's/principals in the kerberos server's keytab file but I 
>> found out that my problem was that the samba4/kerberos server was 
>> running on a multi-homed machine and that the ssh server kerberos 
>> authentication needed the following parameter in order for it to work on multi-homed machines:
>>
>> GSSAPIStrictAcceptorCheck no
>>
>> The default is yes, using "no" will, according to the manpage 
>> "clients may authenticate against any service key stored in the 
>> machine's default store."
>>
>> I hope this helps others that have similar setups as I do.
>>
>> Thank you all for your input.
>>
>> br,
>> Quinn
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>


--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list