[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Quinn Plattel qiet72 at gmail.com
Mon Jul 16 06:34:54 MDT 2012

I think I take this back.  This more a workaround than a solution.  The
workaround makes sshd use any principal found in the database, but a proper
kerberos setup would look for the client's hostname principal only.
The search goes on for a proper samba4 kerberos setup. :-)


On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi,
> I solved my ssh GSSAPI problem.  There were a lot of solutions on google
> referring to a proper fqdn in the /etc/hosts file and having the
> fqdn's/principals in the kerberos server's keytab file but I found out that
> my problem was that the samba4/kerberos server was running on a multi-homed
> machine and that the ssh server kerberos authentication needed the
> following parameter in order for it to work on multi-homed machines:
> GSSAPIStrictAcceptorCheck no
> The default is yes, using "no" will, according to the manpage "clients may
> authenticate against any service key stored in the machine's default store."
> I hope this helps others that have similar setups as I do.
> Thank you all for your input.
> br,
> Quinn

Best regards/Med venlig hilsen,
Quinn Plattel

More information about the samba mailing list