[Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

Ritter, Marcel - RRZE marcel.ritter at rrze.fau.de
Mon Jul 16 03:39:55 MDT 2012 

Hi Quinn,

here's the output of klist on my samba 3 client and the
samba 4 server. Ssh based login works fine on the samba 3
machine - but requires "GSSAPIStrictAcceptorCheck no" on
the samba 4 host.

I'm still not sure, weather this is a multi-home issue - it
could also be caused by case sensitivity of Kerberos:
As you can see the "host/" Principal is stored in lower
case on samba 3 (were things work as expected), but
in upper case on samba 4 machines (where the above
option is required to make things work).

This may cause problems for other services (such as NFS)
that cannot be overruled by some config option.


# Samba 3:
utest at testhost1:~$ sudo klist -ket /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (des-cbc-crc) 
   3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (des-cbc-md5) 
   3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (arcfour-hmac) 
   3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (des-cbc-crc) 
   3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (des-cbc-md5) 
   3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (arcfour-hmac) 
   3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (des-cbc-crc) 
   3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (des-cbc-md5) 
   3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (arcfour-hmac) 


# Samba 4:
utest at atom:~$ sudo klist -ket /opt/samba4/var/lib/samba/private/secrets.keytab 
Keytab name: FILE:/opt/samba4/var/lib/samba/private/secrets.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (des-cbc-crc) 
   1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (des-cbc-crc) 
   1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (des-cbc-crc) 
   1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (des-cbc-md5) 
   1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (des-cbc-md5) 
   1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (des-cbc-md5) 
   1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (arcfour-hmac) 
   1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (arcfour-hmac) 
   1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (arcfour-hmac) 
   1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96) 
   1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96) 
   1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96)


BTW: You can force ssh logins to only use GSSAPI authentication
        by using

	ssh -o PreferredAuthentications=gssapi-with-mic ...

Bye,
   Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Dienstag, 10. Juli 2012 09:14
An: samba
Betreff: [Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?

This should go to the list as well....

---------- Forwarded message ----------
From: Quinn Plattel <qiet72 at gmail.com>
Date: Tue, Jul 10, 2012 at 9:13 AM
Subject: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
To: "Ritter, Marcel - RRZE" <marcel.ritter at rrze.fau.de>


Hi Marcel,

Maybe you could do a "klist -ke /etc/krb5.keytab" on both machines so we can see the differences?

br,
Quinn


On Mon, Jul 9, 2012 at 5:17 PM, Ritter, Marcel - RRZE < marcel.ritter at rrze.fau.de> wrote:

> Hi Quinn,
>
> I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC, 
> no luck so far.
>
> However, after joining two VMs to this domain using Samba 3, ssh 
> logins work between those two machines (not towards the DC).
>
> The only relevant difference I found while searching for a solution, 
> were differences in the krb5.keytab: it looks like Samba4 and Samba3 
> create different entries there (upper/lower case differ). I don't have 
> the VMs up and running at the moment, but I can supply the details if 
> it helps to fix this problem - just let me know.
>
> Bye,
>    Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org]
> Im Auftrag von Quinn Plattel
> Gesendet: Montag, 9. Juli 2012 15:17
> An: samba
> Betreff: Re: [Samba] How do I get an ssh client to authenticate with 
> samba4's kerberos GSSAPI?
>
> Hi,
>
> Forgot to mention that the client side's ssh configuration
> (/etc/ssh/ssh_config) has the following lines:
>     GSSAPIAuthentication yes
>     GSSAPIDelegateCredentials yes
>     GSSAPITrustDns yes
>
> The server side ssh configuration (/etc/ssh/sshd_config) has the 
> following
> lines:
>     GSSAPIAuthentication yes
>     GSSAPIKeyExchange yes
>     GSSAPICleanupCredentials yes
>
> br,
> Quinn
>
>
> On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>
> > Hi,
> >
> > I am doing some kerberos testing with samba4 using ssh.  I have 
> > setup
> > samba4 using the howto at
> > http://wiki.samba.org/index.php/Samba4/HOWTOand active directory 
> > seems
> to be working both with Windows and Linux clients.
> > ssh unfortunately is not kerberos authenticating via GSSAPI.  The 
> > client krb5.conf contains this:
> >
> > =====================================================
> > [libdefaults]
> >     default_realm = MYDOMAIN.NET
> >
> >     krb4_config = /etc/krb.conf
> >     krb4_realms = /etc/krb.realms
> >     kdc_timesync = 1
> >     ccache_type = 4
> >     forwardable = true
> >     proxiable = true
> >     dns_fallback = yes
> >     default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >     default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >
> >     v4_instance_resolve = false
> >     v4_name_convert = {
> >         host = {
> >             rcmd = host
> >             ftp = ftp
> >         }
> >         plain = {
> >             something = something-else
> >         }
> >     }
> >     fcc-mit-ticketflags = true
> >
> > [realms]
> >     MYDOMAIN.NET = {
> >         kdc = cofil01.mydomain.net:88
> >         default_domain = mydomain.net
> >     }
> >
> > [domain_realm]
> >     .mydomain.net = MYDOMAIN.NET
> >     mydomain.net = MYDOMAIN.NET
> >
> > [login]
> >     krb4_convert = true
> >     krb4_get_tickets = false
> > ====================================================
> >
> > The server side krb5.conf contains this:
> > ====================================================
> > [libdefaults]
> >     default_realm = MYDOMAIN.NET
> >     dns_lookup_realm = false
> >     dns_lookup_kdc = true
> > ====================================================
> >
> > No kerberos errors shows up in "log.samba" on the server side even 
> > though samba is started with "-d 5"
> > On the client side, I do a "kinit user" - it succeeds.
> > I then do a klist and it lists my current ticket for user.
> > Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the 
> > following
> > lines:
> >
> > ====================================================
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we did not send a packet, disable method 
> > ====================================================
> >
> > "hostname -f" on the client reveals:
> > ubuntu-test.mydomain.net
> >
> > I can both forward and reverse resolve cofil01.mydomain.net on the 
> > client side.
> > Is it necessary to create a /etc/krb5.keytab file on the client in 
> > order for ssh kerberos authentication to work?
> >
> >
> > --
> > br,
> > Quinn
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Best regards/Med venlig hilsen,
Quinn Plattel



-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list