[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

Quinn Plattel qiet72 at gmail.com
Thu Jul 19 08:23:20 MDT 2012


Using the following tutorials:

I have now managed to get passwordless ssh logins via kerberos working
(without using the /etc/ssh/sshd_config parameter
"GSSAPIStrictAcceptorCheck no") on a normal kerberos server setup.  I
learned from this that ssh requires "host/server.mydomain.net @ MYDOMAIN.NET"
in the principal database and also exported to a keytab located on the
server which sshd is running in the location /etc/krb5.keytab.
On the client, /etc/ssh/ssh_config requires at least "GSSAPIAuthentication
yes".  sshd requires at least "KerberosAuthentication yes" and
"GSSAPIAuthentication yes" in the /etc/ssh/sshd_config.

On a real kerberos server, you use the following commands in the kadmin
tool to add the necessary principals for ssh to work properly:
addprinc user                                                        # Adds
a valid user to the kerberos principal database
addprinc -randkey host/server.mydomain.net           # Adds a host
principal to the principal database
ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals
host/server.mydomain.net to the /etc/krb5.keytab

Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On
the client side, "kinit user", then ssh -l user <server>

That's it.  Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow.

Note: once I get single-sign-on to work, then it should not be necessary to
do a kinit first.


On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel <qiet72 at gmail.com> wrote:

> I think I take this back.  This more a workaround than a solution.  The
> workaround makes sshd use any principal found in the database, but a proper
> kerberos setup would look for the client's hostname principal only.
> The search goes on for a proper samba4 kerberos setup. :-)
> br,
> Quinn
> On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>> Hi,
>> I solved my ssh GSSAPI problem.  There were a lot of solutions on google
>> referring to a proper fqdn in the /etc/hosts file and having the
>> fqdn's/principals in the kerberos server's keytab file but I found out that
>> my problem was that the samba4/kerberos server was running on a multi-homed
>> machine and that the ssh server kerberos authentication needed the
>> following parameter in order for it to work on multi-homed machines:
>> GSSAPIStrictAcceptorCheck no
>> The default is yes, using "no" will, according to the manpage "clients
>> may authenticate against any service key stored in the machine's default
>> store."
>> I hope this helps others that have similar setups as I do.
>> Thank you all for your input.
>> br,
>> Quinn
> --
> Best regards/Med venlig hilsen,
> Quinn Plattel

Best regards/Med venlig hilsen,
Quinn Plattel

More information about the samba mailing list