[Samba] Samba4 and GSSAPI based authentication for OpenSSH

Arthur Ramsey arthur_ramsey at mediture.com
Thu Nov 21 11:11:04 MST 2013 

I was able to fix it and get it working on several other servers.

 1. Remove any FQDNs from /etc/host
 2. Make sure FQDN is used in /etc/sysconfig/network (RHEL specific file)
 3. sudo hostname -v 'fqdn'
 4. Verify /etc/resolv.conf
 5. sudo yum -y install samba-common samba-winbind zsh krb5-workstation
 6. sudo authconfig --update --kickstart --enablewinbind
    --enablewinbindauth --smbsecurity=ads \
    --smbworkgroup=MEDITURE \
    --smbrealm=MEDITURE.DOM \
    --winbindjoin=Administrator \
    --winbindtemplatehomedir=/home/%U \
    --winbindtemplateshell=/bin/bash \
    --enablewinbindusedefaultdomain \
    --enablelocauthorize \
    --smbservers=dc01.mediture.dom,dc02.mediture.dom,dc03.mediture.dom,dc04.mediture.dom
    \
    --enablemkhomedir
 7. Edit /etc/samba/smb.conf

    [global]
    #--authconfig--start-line--

    # Generated by authconfig on 2013/10/11 15:48:32
    # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
    # Any modification may be deleted or altered by authconfig in future

        workgroup = MEDITURE
        password server = dc01.mediture.dom dc02.mediture.dom dc03.mediture.dom dc04.mediture.dom
        realm = MEDITURE.DOM
        security = ads
        idmap config * : range = 16777216-33554431
        template homedir = /home/%U
        template shell = /bin/bash

        winbind use default domain = true

    #--authconfig--end-line--
        server string = Samba Server Version %v

        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

        passdb backend = tdbsam

        winbind offline logon = true
        winbind nss info = rfc2307

        kerberos method = secrets and keytab

 8. Edit /etc/krb5.conf

    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
      default_realm = MEDITURE.DOM

    [libdefaults]
      default_realm = MEDITURE.DOM
      dns_lookup_realm = false
      dns_lookup_kdc = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      default_keytab_name = FILE:/etc/krb5.keytab

    [realms]
      MEDITURE.DOM = {
       kdc = dc01.mediture.dom
       kdc = dc02.mediture.dom
       kdc = dc03.mediture.dom
       kdc = dc04.mediture.dom

       default_realm = MEDITURE.DOM
      }

    [domain_realm]
       mediture.dom = MEDITURE.DOM
       .mediture.dom = MEDITURE.DOM

 9. Edit /etc/security/pam_winbind.conf

    #
    # pam_winbind configuration file
    #
    # /etc/security/pam_winbind.conf
    #

    [global]
    # request a cached login if possible
    # (needs "winbind offline logon = yes" in smb.conf)
    cached_login = yes

    krb5_auth = yes
    krb5_ccache_type = FILE

10. Edit /etc/ssh/sshd_config

    Protocol 2

    SyslogFacility AUTHPRIV

    LoginGraceTime 2m
    PermitRootLogin yes
    StrictModes yes
    MaxAuthTries 6
    MaxSessions 10

    PasswordAuthentication yes

    KerberosAuthentication no

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    GSSAPIKeyExchange yes
    GSSAPIStoreCredentialsOnRekey yes

    UsePAM yes

    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS

    X11Forwarding yes
    UseDNS no

    Subsystem	sftp    /usr/libexec/openssh/sftp-server

11. sudo net ads keytab create -U Administrator
12. sudo service sshd restart

I had a lot of trial and error on the first host I tried, which I think 
bungled my credential cache.  Every other server worked fine with the 
same procedure, but this first host gave me trouble until I did this 
last step.

On 11/21/2013 02:27 AM, L.P.H. van Belle wrote:
> look here, it might help you.
>
>
> http://us.generation-nt.com/answer/re-samba-how-do-i-get-an-ssh-client-authenticate-samba4-kerberos-gssapi-solved-help-208138311.html
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: arthur_ramsey at mediture.com
>> [mailto:samba-bounces at lists.samba.org] Namens Arthur Ramsey
>> Verzonden: woensdag 20 november 2013 23:53
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Samba4 and GSSAPI based authentication for OpenSSH
>>
>> I seem to be having the same issue as
>> https://lists.samba.org/archive/samba/2012-December/170426.html.  I
>> don't see that he ever reached a solution.
>>
>> Nov 20 16:02:58 appdb01-qa sshd[31622]: debug1: Unspecified GSS
>> failure.  Minor code may provide more information\nNo key table entry
>> found matching host/appdb01-qa.mediture.dom@\n
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: attempt 2 failures 0
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: attempt 3 failures 0
>> Nov 20 16:02:59 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>>
>> [arthurr at appdb01-qa]~% klist
>> Ticket cache: FILE:/tmp/krb5cc_16777216
>> Default principal: arthurr at MEDITURE.DOM
>>
>> Valid starting     Expires            Service principal
>> 11/20/13 15:59:55  11/21/13 01:59:55 krbtgt/MEDITURE.DOM at MEDITURE.DOM
>>      renew until 11/27/13 15:59:55
>> 11/20/13 15:59:55  11/21/13 01:59:55  APPDB01-QA$@MEDITURE.DOM
>>      renew until 11/27/13 15:59:55
>>
>> Samba client: 3.6.9
>> Samba4 PDC: 4.1.1
>>
>> This was my starting place:
>> https://wiki.samba.org/index.php/Authenticating_other_services_
>> against_AD.
>> I also have searched google extensively.
>>
>> Any help would be appreciated.
>>
>> -- 
>> Arthur Ramsey
>> Systems Administrator
>> Mediture
>> arthur_ramsey at mediture.com
>> 952.400.0323
>>
>> This e-mail and any attachments may contain CONFIDENTIAL
>> information, including PROTECTED HEALTH INFORMATION. If you
>> are not the intended recipient, any use or disclosure of this
>> information is STRICTLY PROHIBITED; you are requested to
>> delete this e-mail and any attachments, notify the sender
>> immediately, and notify the Mediture Privacy Officer at
>> privacyofficer at mediture.com.
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
-- 
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323

This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.

More information about the samba mailing list