[Samba] Samba4 and GSSAPI based authentication for OpenSSH
Arthur Ramsey
arthur_ramsey at mediture.com
Thu Nov 21 11:11:04 MST 2013
I was able to fix it and get it working on several other servers.
1. Remove any FQDNs from /etc/host
2. Make sure FQDN is used in /etc/sysconfig/network (RHEL specific file)
3. sudo hostname -v 'fqdn'
4. Verify /etc/resolv.conf
5. sudo yum -y install samba-common samba-winbind zsh krb5-workstation
6. sudo authconfig --update --kickstart --enablewinbind
--enablewinbindauth --smbsecurity=ads \
--smbworkgroup=MEDITURE \
--smbrealm=MEDITURE.DOM \
--winbindjoin=Administrator \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize \
--smbservers=dc01.mediture.dom,dc02.mediture.dom,dc03.mediture.dom,dc04.mediture.dom
\
--enablemkhomedir
7. Edit /etc/samba/smb.conf
[global]
#--authconfig--start-line--
# Generated by authconfig on 2013/10/11 15:48:32
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MEDITURE
password server = dc01.mediture.dom dc02.mediture.dom dc03.mediture.dom dc04.mediture.dom
realm = MEDITURE.DOM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
#--authconfig--end-line--
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
passdb backend = tdbsam
winbind offline logon = true
winbind nss info = rfc2307
kerberos method = secrets and keytab
8. Edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = MEDITURE.DOM
[libdefaults]
default_realm = MEDITURE.DOM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MEDITURE.DOM = {
kdc = dc01.mediture.dom
kdc = dc02.mediture.dom
kdc = dc03.mediture.dom
kdc = dc04.mediture.dom
default_realm = MEDITURE.DOM
}
[domain_realm]
mediture.dom = MEDITURE.DOM
.mediture.dom = MEDITURE.DOM
9. Edit /etc/security/pam_winbind.conf
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
10. Edit /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
MaxSessions 10
PasswordAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
11. sudo net ads keytab create -U Administrator
12. sudo service sshd restart
I had a lot of trial and error on the first host I tried, which I think
bungled my credential cache. Every other server worked fine with the
same procedure, but this first host gave me trouble until I did this
last step.
On 11/21/2013 02:27 AM, L.P.H. van Belle wrote:
> look here, it might help you.
>
>
> http://us.generation-nt.com/answer/re-samba-how-do-i-get-an-ssh-client-authenticate-samba4-kerberos-gssapi-solved-help-208138311.html
>
>
>> -----Oorspronkelijk bericht-----
>> Van: arthur_ramsey at mediture.com
>> [mailto:samba-bounces at lists.samba.org] Namens Arthur Ramsey
>> Verzonden: woensdag 20 november 2013 23:53
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Samba4 and GSSAPI based authentication for OpenSSH
>>
>> I seem to be having the same issue as
>> https://lists.samba.org/archive/samba/2012-December/170426.html. I
>> don't see that he ever reached a solution.
>>
>> Nov 20 16:02:58 appdb01-qa sshd[31622]: debug1: Unspecified GSS
>> failure. Minor code may provide more information\nNo key table entry
>> found matching host/appdb01-qa.mediture.dom@\n
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: attempt 2 failures 0
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>> Nov 20 16:02:58 appdb01-qa sshd[31623]: debug1: attempt 3 failures 0
>> Nov 20 16:02:59 appdb01-qa sshd[31623]: debug1: userauth-request for
>> user arthurr service ssh-connection method gssapi-with-mic
>>
>> [arthurr at appdb01-qa]~% klist
>> Ticket cache: FILE:/tmp/krb5cc_16777216
>> Default principal: arthurr at MEDITURE.DOM
>>
>> Valid starting Expires Service principal
>> 11/20/13 15:59:55 11/21/13 01:59:55 krbtgt/MEDITURE.DOM at MEDITURE.DOM
>> renew until 11/27/13 15:59:55
>> 11/20/13 15:59:55 11/21/13 01:59:55 APPDB01-QA$@MEDITURE.DOM
>> renew until 11/27/13 15:59:55
>>
>> Samba client: 3.6.9
>> Samba4 PDC: 4.1.1
>>
>> This was my starting place:
>> https://wiki.samba.org/index.php/Authenticating_other_services_
>> against_AD.
>> I also have searched google extensively.
>>
>> Any help would be appreciated.
>>
>> --
>> Arthur Ramsey
>> Systems Administrator
>> Mediture
>> arthur_ramsey at mediture.com
>> 952.400.0323
>>
>> This e-mail and any attachments may contain CONFIDENTIAL
>> information, including PROTECTED HEALTH INFORMATION. If you
>> are not the intended recipient, any use or disclosure of this
>> information is STRICTLY PROHIBITED; you are requested to
>> delete this e-mail and any attachments, notify the sender
>> immediately, and notify the Mediture Privacy Officer at
>> privacyofficer at mediture.com.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
--
Arthur Ramsey
Systems Administrator
Mediture
arthur_ramsey at mediture.com
952.400.0323
This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
More information about the samba
mailing list