[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
qiet72 at gmail.com
Thu Jul 19 08:23:20 MDT 2012
Using the following tutorials:
I have now managed to get passwordless ssh logins via kerberos working
(without using the /etc/ssh/sshd_config parameter
"GSSAPIStrictAcceptorCheck no") on a normal kerberos server setup. I
learned from this that ssh requires "host/server.mydomain.net @ MYDOMAIN.NET"
in the principal database and also exported to a keytab located on the
server which sshd is running in the location /etc/krb5.keytab.
On the client, /etc/ssh/ssh_config requires at least "GSSAPIAuthentication
yes". sshd requires at least "KerberosAuthentication yes" and
"GSSAPIAuthentication yes" in the /etc/ssh/sshd_config.
On a real kerberos server, you use the following commands in the kadmin
tool to add the necessary principals for ssh to work properly:
addprinc user # Adds
a valid user to the kerberos principal database
addprinc -randkey host/server.mydomain.net # Adds a host
principal to the principal database
ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals
host/server.mydomain.net to the /etc/krb5.keytab
Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On
the client side, "kinit user", then ssh -l user <server>
That's it. Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow.
Note: once I get single-sign-on to work, then it should not be necessary to
do a kinit first.
On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
> I think I take this back. This more a workaround than a solution. The
> workaround makes sshd use any principal found in the database, but a proper
> kerberos setup would look for the client's hostname principal only.
> The search goes on for a proper samba4 kerberos setup. :-)
> On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>> I solved my ssh GSSAPI problem. There were a lot of solutions on google
>> referring to a proper fqdn in the /etc/hosts file and having the
>> fqdn's/principals in the kerberos server's keytab file but I found out that
>> my problem was that the samba4/kerberos server was running on a multi-homed
>> machine and that the ssh server kerberos authentication needed the
>> following parameter in order for it to work on multi-homed machines:
>> GSSAPIStrictAcceptorCheck no
>> The default is yes, using "no" will, according to the manpage "clients
>> may authenticate against any service key stored in the machine's default
>> I hope this helps others that have similar setups as I do.
>> Thank you all for your input.
> Best regards/Med venlig hilsen,
> Quinn Plattel
Best regards/Med venlig hilsen,
More information about the samba