[Samba] Samba 4 / Kerberos / ssh

Vogel, Sven Sven.Vogel at kupper-computer.com
Sun May 25 05:56:11 MDT 2014


I try to get Samba 4 with ssh running.

I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line.

---

kinit -k -t /etc/krb5.keytab  `hostname -s | tr "[:lower:]" "[:upper:]"`\$

rsync  -X -u -a  $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
---

when i understand correct he uses the domain controller service principle to connect to the other domain controller. I know for  that i need a working /etc/krb5.keytab

e.g. i have two s4 dc's

bob
alice

i have done the following. I want to connect from bob to alice with the service accounts

I added to  the following to both of the dcs

sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes

ssh_config
GSSAPIAuthentication yes
GSSAPIDelegationCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes

After that i created the keytab i know i need an working ticket

Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$

I get the ticket with on bob for alice

kinit -v -k -t /etc/krb5.keytab alice$

after that i tryed to get an ssh connection to alice with (force gssapi connection)

ssh -vvv -K alice\$@alice.example.local

when i look in the logs i see always on alice the follwing error messages by alice

"No principal in keytab matches the desired name"

And

May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method none [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 0 failures 0 [preauth]
May 25 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3
May 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file /var/log/btmp: No such file or directory
May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$"
May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local"
May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh"
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method keyboard-interactive [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: keyboard-interactive devs  [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam' [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]


I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem?

Anyone have an idea?

Sven


More information about the samba mailing list