[Samba] Samba 4 / Kerberos / ssh

Vogel, Sven Sven.Vogel at kupper-computer.com
Thu May 29 05:05:54 MDT 2014 

Hi Steve, Hi Roland,

so tryed many different things. 

1. i create an keytab alice$ (works)

Samba-tool domain exportkeytab /etc/krb5.keytab -principal=ALICE$

2. i changed sshd_config to your suggestions...

GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIKeyExchange yes
GSSAPIStrictAcceptorCheck no

3. i got an ticket on BOB$ with (works)

kinit -v -k -t /etc/krb5.keytab ALICE$

after these changes i bot the following error

May 29 12:41:43 alice sshd[22664]: debug1: Unspecified GSS failure.  Minor code may provide more information\nNo such file or directory\n
May 29 12:41:43 alice sshd[22664]: debug1: Got no client credentials
May 29 12:41:43 alice sshd[22664]: fatal: Zero length token output when incomplete [preauth]

I found out i need an ssh service kerberos prinicpal

After that i added the following to the krb5.keytab to ALICE because the ssh service needs to authenticate to kerberos

kinit -v -k -t /etc/krb5.keytab host/alice.example.com

4. After that i tryed it again with different users e.g. the service account ALICE$ and Guest Account but i get the following error

May 29 12:57:00 alice sshd[22753]: input_userauth_request: invalid user Guest [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: PAM: initializing for "Guest"
May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_RHOST to "alice2.swi.local"
May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_TTY to "ssh"
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-keyex [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 1 failures 0 [preauth]
May 29 12:57:00 alice sshd[22753]: Failed gssapi-with-mic for invalid user Guest from 192.168.24.3 port 35854 ssh2
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 2 failures 1 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 3 failures 2 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 4 failures 3 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method keyboard-interactive [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 5 failures 4 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: keyboard-interactive devs  [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge: user=Guest devs= [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: kbdint_alloc: devices 'pam' [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
May 29 12:57:00 alice sshd[22753]: Postponed keyboard-interactive for invalid user Guest from 192.168.24.3 port 35854 ssh2 [preauth]


I get an invalid user... why he dont authenticate to samba 4 and check the users... whats wrong or missing?

I using sles 11 sp3 and sernet samba 4.1.7 last patch level...

Maybe ist a problem with pam and krb5 but i also installed the pam_krb5 modules and added them to the appropriate files in /etc/pam.d/

Is there anyone who can help`

Thanks

Sven

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Sonntag, 25. Mai 2014 18:07
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba 4 / Kerberos / ssh

On 25/05/14 12:56, Vogel, Sven wrote:
> I try to get Samba 4 with ssh running.
>
> I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line.
>
> ---
>
> kinit -k -t /etc/krb5.keytab  `hostname -s | tr "[:lower:]" 
> "[:upper:]"`\$
>
> rsync  -X -u -a  $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
> ---
>
> when i understand correct he uses the domain controller service 
> principle to connect to the other domain controller. I know for  that 
> i need a working /etc/krb5.keytab
>
> e.g. i have two s4 dc's
>
> bob
> alice
>
> i have done the following. I want to connect from bob to alice with 
> the service accounts
>
> I added to  the following to both of the dcs
>
> sshd_config
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> ssh_config
> GSSAPIAuthentication yes
> GSSAPIDelegationCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDNS yes
>
> After that i created the keytab i know i need an working ticket
>
> Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$
>
> I get the ticket with on bob for alice
>
> kinit -v -k -t /etc/krb5.keytab alice$
>
> after that i tryed to get an ssh connection to alice with (force 
> gssapi connection)
>
> ssh -vvv -K alice\$@alice.example.local
>
> when i look in the logs i see always on alice the follwing error 
> messages by alice
>
> "No principal in keytab matches the desired name"
>
> And
>
> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user 
> alice$ service ssh-connection method none [preauth] May 25 13:43:44 
> alice sshd[29647]: debug1: attempt 0 failures 0 [preauth] May 25 
> 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3 May 
> 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file 
> /var/log/btmp: No such file or directory May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth] May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$"
> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local"
> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh"
> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user 
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25 
> 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth] May 
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user 
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25 
> 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth] May 
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user 
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25 
> 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth] May 
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user 
> alice$ service ssh-connection method keyboard-interactive [preauth] 
> May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 
> [preauth] May 25 13:43:44 alice sshd[29647]: debug1: 
> keyboard-interactive devs  [preauth] May 25 13:43:44 alice 
> sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] May 
> 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam' 
> [preauth] May 25 13:43:44 alice sshd[29647]: debug1: 
> auth2_challenge_start: trying authentication method 'pam' [preauth]
>
>
> I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem?
>
> Anyone have an idea?
>
> Sven
OK, I can connect from my second DC to my first DC via kerberos, try this:

On Server you want to connect to (FIRST DC, bob in your case):

nano /etc/ssh/sshd_config:

GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIKeyExchange yes
GSSAPIStrictAcceptorCheck no

On Client (second DC, alice):

samba-tool domain exportkeytab /etc/krb5.keytab --principal=ALICE$

kinit -k -t /etc/krb5.keytab -c /tmp/krb5cc_ALICE$ ALICE$

ssh -K ALICE\$@alice.example.local

#################################################

On my system it led to this:

root at dc2:~# ssh -K DC1\$@dc1.example.local Creating directory '/home/DOMAIN/DC1$'.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

  * Documentation:  https://help.ubuntu.com/

   System information as of Sun May 25 16:24:38 BST 2014

   System load:    0.04               Processes:           141
   Usage of /home: 0.0% of 119.75GB   Users logged in:     1
   Memory usage:   50%                IP address for eth0: 192.168.0.5
   Swap usage:     0%

   Graph this data and manage this system at:
     https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

DOMAIN\DC1dc1:~$ pwd
/home/DOMAIN/DC1$

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list