[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Heather Choi
hceuterpe at gmail.com
Thu Jul 12 19:41:32 MDT 2012
If you configure PAM and kerberos properly, you do not need to do a
kinit first. I get them automatically when I login. They automatically
renew when I type my password into the GNOME screensaver.
Btw, I am also using Samba 3, not Samba4.
On 07/11/2012 03:07 AM, Quinn Plattel wrote:
> Btw, forgot to mention, when testing, make sure on the client you do a
> "kinit <user>" to get a valid ticket before doing your ssh login. You can
> check if you have a valid ticket with the "klist" command.
>
> br,
> Quinn
>
> On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <qiet72 at gmail.com> wrote:
>
>> Hi Marcel,
>>
>> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
>> ii krb5-config
>> 2.2 Configuration files for Kerberos
>> Version 5
>> ii krb5-locales
>> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
>> MIT Kerberos
>> ii krb5-user
>> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
>> using MIT Kerberos
>> ii libgssapi-krb5-2
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
>> krb5 GSS-API Mechanism
>> ii libkrb5-26-heimdal
>> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
>> ii libkrb5-3
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
>> ii libkrb5support0
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
>> Support library
>> ii libpam-krb5
>> 4.5-3 PAM module for MIT Kerberos
>> ii openssh-client
>> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
>> secure access to remote machines
>>
>> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
>> ii krb5-config
>> 2.2 Configuration files for Kerberos
>> Version 5
>> ii krb5-locales
>> 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for
>> MIT Kerberos
>> ii krb5-user
>> 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate
>> using MIT Kerberos
>> ii libgssapi-krb5-2
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
>> krb5 GSS-API Mechanism
>> ii libkrb5-26-heimdal
>> 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries
>> ii libkrb5-3
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries
>> ii libkrb5support0
>> 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries -
>> Support library
>> ii openssh-client
>> 1:5.9p1-5ubuntu1 secure shell (SSH) client, for
>> secure access to remote machines
>> ii openssh-server
>> 1:5.9p1-5ubuntu1 secure shell (SSH) server, for
>> secure access from remote machines
>> samba Version 4.0.0beta3-GIT-UNKNOWN
>>
>> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
>> /etc/hosts file and have all the principals needed added to the servers
>> keytab file, but this is not necessary if you use the parameter.
>> With the parameter, the only thing you need is to make sure is that on the
>> server /var/lib/samba/secrets.keytab is copied or linked to
>> /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is
>> without copying any extra principals into it.
>>
>> You can have a very simple /etc/hosts on the client such as:
>> 127.0.0.1 localhost
>> 127.0.1.1 ubuntu-test
>>
>> This setup probably only works for ssh kerberos. nfsv4, pam logins, and
>> other kerberos aware services may need strict checking. That is my next
>> research project.
>>
>> For ssh debugging, on the server I used -ddd for sshd and looked at both
>> syslog and auth.log under /var/log. On the client, I used ssh -vvvl <user>
>> <server>
>> For kerberos samba4 debugging, start samba with "-d 5" parameter and then
>> "tail -f /var/log/samba/log.samba|grep Kerberos:"
>>
>> br,
>> Quinn
>>
>>
>>
>> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
>> marcel.ritter at rrze.fau.de> wrote:
>>
>>> Hi Quinn,
>>>
>>> I just tried your solution (my machine is also multi-homed). However it
>>> doesn't work for me. The man-page of sshd_config also states, that the
>>> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>>> krb5 libraries.
>>>
>>> Could you please have a look at the krb5 and openssh versions you're
>>> using (and perhaps the linux distribution/version)?
>>>
>>> BTW: I'm running:
>>> Ubuntu 12.04 LTS
>>> openssh-server 5.9p1-5ubuntu1
>>> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>>
>>> auth.log mentions (during failed login):
>>> Unspecified GSS failure.
>>> Minor code may provide more information:
>>> Wrong principal in request
>>>
>>> Thanks,
>>> Marcel
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>>> Im Auftrag von Quinn Plattel
>>> Gesendet: Dienstag, 10. Juli 2012 16:08
>>> An: samba
>>> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
>>> samba4's kerberos GSSAPI? [Solved]
>>>
>>> Hi,
>>>
>>> I solved my ssh GSSAPI problem. There were a lot of solutions on google
>>> referring to a proper fqdn in the /etc/hosts file and having the
>>> fqdn's/principals in the kerberos server's keytab file but I found out that
>>> my problem was that the samba4/kerberos server was running on a multi-homed
>>> machine and that the ssh server kerberos authentication needed the
>>> following parameter in order for it to work on multi-homed machines:
>>>
>>> GSSAPIStrictAcceptorCheck no
>>>
>>> The default is yes, using "no" will, according to the manpage "clients
>>> may authenticate against any service key stored in the machine's default
>>> store."
>>>
>>> I hope this helps others that have similar setups as I do.
>>>
>>> Thank you all for your input.
>>>
>>> br,
>>> Quinn
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
More information about the samba
mailing list