[Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Ritter, Marcel - RRZE
marcel.ritter at rrze.fau.de
Mon Jul 16 03:39:55 MDT 2012
Hi Quinn,
here's the output of klist on my samba 3 client and the
samba 4 server. Ssh based login works fine on the samba 3
machine - but requires "GSSAPIStrictAcceptorCheck no" on
the samba 4 host.
I'm still not sure, weather this is a multi-home issue - it
could also be caused by case sensitivity of Kerberos:
As you can see the "host/" Principal is stored in lower
case on samba 3 (were things work as expected), but
in upper case on samba 4 machines (where the above
option is required to make things work).
This may cause problems for other services (such as NFS)
that cannot be overruled by some config option.
# Samba 3:
utest at testhost1:~$ sudo klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (des-cbc-crc)
3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (des-cbc-md5)
3 06/10/12 09:53:26 host/testhost1.testdomain.org at TESTDOMAIN.ORG (arcfour-hmac)
3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (des-cbc-crc)
3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (des-cbc-md5)
3 06/10/12 09:53:26 host/testhost1 at TESTDOMAIN.ORG (arcfour-hmac)
3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (des-cbc-crc)
3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (des-cbc-md5)
3 06/10/12 09:53:26 TESTHOST1$@TESTDOMAIN.ORG (arcfour-hmac)
# Samba 4:
utest at atom:~$ sudo klist -ket /opt/samba4/var/lib/samba/private/secrets.keytab
Keytab name: FILE:/opt/samba4/var/lib/samba/private/secrets.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (des-cbc-crc)
1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (des-cbc-crc)
1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (des-cbc-crc)
1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (des-cbc-md5)
1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (des-cbc-md5)
1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (des-cbc-md5)
1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (arcfour-hmac)
1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (arcfour-hmac)
1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (arcfour-hmac)
1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96)
1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96)
1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (aes128-cts-hmac-sha1-96)
1 02/25/12 11:22:52 HOST/atom at TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96)
1 02/25/12 11:22:52 HOST/atom.testdomain.org at TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96)
1 02/25/12 11:22:52 ATOM$@TESTDOMAIN.ORG (aes256-cts-hmac-sha1-96)
BTW: You can force ssh logins to only use GSSAPI authentication
by using
ssh -o PreferredAuthentications=gssapi-with-mic ...
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Dienstag, 10. Juli 2012 09:14
An: samba
Betreff: [Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
This should go to the list as well....
---------- Forwarded message ----------
From: Quinn Plattel <qiet72 at gmail.com>
Date: Tue, Jul 10, 2012 at 9:13 AM
Subject: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
To: "Ritter, Marcel - RRZE" <marcel.ritter at rrze.fau.de>
Hi Marcel,
Maybe you could do a "klist -ke /etc/krb5.keytab" on both machines so we can see the differences?
br,
Quinn
On Mon, Jul 9, 2012 at 5:17 PM, Ritter, Marcel - RRZE < marcel.ritter at rrze.fau.de> wrote:
> Hi Quinn,
>
> I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC,
> no luck so far.
>
> However, after joining two VMs to this domain using Samba 3, ssh
> logins work between those two machines (not towards the DC).
>
> The only relevant difference I found while searching for a solution,
> were differences in the krb5.keytab: it looks like Samba4 and Samba3
> create different entries there (upper/lower case differ). I don't have
> the VMs up and running at the moment, but I can supply the details if
> it helps to fix this problem - just let me know.
>
> Bye,
> Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org]
> Im Auftrag von Quinn Plattel
> Gesendet: Montag, 9. Juli 2012 15:17
> An: samba
> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
> samba4's kerberos GSSAPI?
>
> Hi,
>
> Forgot to mention that the client side's ssh configuration
> (/etc/ssh/ssh_config) has the following lines:
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPITrustDns yes
>
> The server side ssh configuration (/etc/ssh/sshd_config) has the
> following
> lines:
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
> GSSAPICleanupCredentials yes
>
> br,
> Quinn
>
>
> On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>
> > Hi,
> >
> > I am doing some kerberos testing with samba4 using ssh. I have
> > setup
> > samba4 using the howto at
> > http://wiki.samba.org/index.php/Samba4/HOWTOand active directory
> > seems
> to be working both with Windows and Linux clients.
> > ssh unfortunately is not kerberos authenticating via GSSAPI. The
> > client krb5.conf contains this:
> >
> > =====================================================
> > [libdefaults]
> > default_realm = MYDOMAIN.NET
> >
> > krb4_config = /etc/krb.conf
> > krb4_realms = /etc/krb.realms
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > dns_fallback = yes
> > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> >
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > MYDOMAIN.NET = {
> > kdc = cofil01.mydomain.net:88
> > default_domain = mydomain.net
> > }
> >
> > [domain_realm]
> > .mydomain.net = MYDOMAIN.NET
> > mydomain.net = MYDOMAIN.NET
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> > ====================================================
> >
> > The server side krb5.conf contains this:
> > ====================================================
> > [libdefaults]
> > default_realm = MYDOMAIN.NET
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > ====================================================
> >
> > No kerberos errors shows up in "log.samba" on the server side even
> > though samba is started with "-d 5"
> > On the client side, I do a "kinit user" - it succeeds.
> > I then do a klist and it lists my current ticket for user.
> > Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the
> > following
> > lines:
> >
> > ====================================================
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug2: we did not send a packet, disable method
> > ====================================================
> >
> > "hostname -f" on the client reveals:
> > ubuntu-test.mydomain.net
> >
> > I can both forward and reverse resolve cofil01.mydomain.net on the
> > client side.
> > Is it necessary to create a /etc/krb5.keytab file on the client in
> > order for ssh kerberos authentication to work?
> >
> >
> > --
> > br,
> > Quinn
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
--
Best regards/Med venlig hilsen,
Quinn Plattel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list