[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Ritter, Marcel - RRZE
marcel.ritter at rrze.fau.de
Thu Jul 19 13:34:44 MDT 2012
Maybe I can help with this:
"That's it. Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow."
I just tried to get rid of the "GSSAPIStrictAcceptorCheck no" option myself
on the Samba 4 DC - while still using GSSAPI based ssh login.
Doing this involves a very, very dirty hack:
1. Copy samba 4 secrets.keytab to /etc/krb5.keytab
(this one contains upper case HOST/ principals).
2. Principal names are stored as strings in the keytab,
so let's use sed to turn upper into lower case
(yes I know, this is very, very dirty - but it's just a
prove of what I suspected):
sed -i s+HOST+host+g /etc/krb5.keytab
3. Remove the "GSSAPIStrictAcceptorCheck no" option from
sshd_config and restart sshd.
4. Try to log in using ssh
-> works for me (and I hope for everyone else).
Somehow MS AD and therefore Samba 4 seem to treat
principals case insensitive, while standard kerberos
implementations are case sensitive.
BTW: klist reports a host/... principal (lower case),
after trying a GSSAPI ssh login - so this is the
principal sent by ssh to the server, that looks
for a match in krb5.keytab - and fails because
by default we only have HOST/... principal there.
I guess the easiest way would be to store principals
in lower case only during a provision run of samba4.
This may however cause other problems - I guess some
samba core developer needs to have a look at this.
But the only principal I ever encountered, that needed to be
upper case was the HTTP/ one ...
Hope this helps,
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel
Gesendet: Donnerstag, 19. Juli 2012 16:23
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Using the following tutorials:
I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter "GSSAPIStrictAcceptorCheck no") on a normal kerberos server setup. I learned from this that ssh requires "host/server.mydomain.net @ MYDOMAIN.NET"
in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab.
On the client, /etc/ssh/ssh_config requires at least "GSSAPIAuthentication yes". sshd requires at least "KerberosAuthentication yes" and "GSSAPIAuthentication yes" in the /etc/ssh/sshd_config.
On a real kerberos server, you use the following commands in the kadmin tool to add the necessary principals for ssh to work properly:
addprinc user # Adds
a valid user to the kerberos principal database
addprinc -randkey host/server.mydomain.net # Adds a host
principal to the principal database
ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals host/server.mydomain.net to the /etc/krb5.keytab
Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On the client side, "kinit user", then ssh -l user <server>
That's it. Now I just have to see if I can get a "host/server.mydomain.net"
principal into the samba domain somehow.
Note: once I get single-sign-on to work, then it should not be necessary to do a kinit first.
On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
> I think I take this back. This more a workaround than a solution.
> The workaround makes sshd use any principal found in the database, but
> a proper kerberos setup would look for the client's hostname principal only.
> The search goes on for a proper samba4 kerberos setup. :-)
> On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
>> I solved my ssh GSSAPI problem. There were a lot of solutions on
>> google referring to a proper fqdn in the /etc/hosts file and having
>> the fqdn's/principals in the kerberos server's keytab file but I
>> found out that my problem was that the samba4/kerberos server was
>> running on a multi-homed machine and that the ssh server kerberos
>> authentication needed the following parameter in order for it to work on multi-homed machines:
>> GSSAPIStrictAcceptorCheck no
>> The default is yes, using "no" will, according to the manpage
>> "clients may authenticate against any service key stored in the
>> machine's default store."
>> I hope this helps others that have similar setups as I do.
>> Thank you all for your input.
> Best regards/Med venlig hilsen,
> Quinn Plattel
Best regards/Med venlig hilsen,
To unsubscribe from this list go to the following URL and read the
More information about the samba