[Samba] Samba 4 / Kerberos / ssh
Vogel, Sven
Sven.Vogel at kupper-computer.com
Thu May 29 05:05:54 MDT 2014
Hi Steve, Hi Roland,
so tryed many different things.
1. i create an keytab alice$ (works)
Samba-tool domain exportkeytab /etc/krb5.keytab -principal=ALICE$
2. i changed sshd_config to your suggestions...
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIKeyExchange yes
GSSAPIStrictAcceptorCheck no
3. i got an ticket on BOB$ with (works)
kinit -v -k -t /etc/krb5.keytab ALICE$
after these changes i bot the following error
May 29 12:41:43 alice sshd[22664]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo such file or directory\n
May 29 12:41:43 alice sshd[22664]: debug1: Got no client credentials
May 29 12:41:43 alice sshd[22664]: fatal: Zero length token output when incomplete [preauth]
I found out i need an ssh service kerberos prinicpal
After that i added the following to the krb5.keytab to ALICE because the ssh service needs to authenticate to kerberos
kinit -v -k -t /etc/krb5.keytab host/alice.example.com
4. After that i tryed it again with different users e.g. the service account ALICE$ and Guest Account but i get the following error
May 29 12:57:00 alice sshd[22753]: input_userauth_request: invalid user Guest [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: PAM: initializing for "Guest"
May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_RHOST to "alice2.swi.local"
May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_TTY to "ssh"
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-keyex [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 1 failures 0 [preauth]
May 29 12:57:00 alice sshd[22753]: Failed gssapi-with-mic for invalid user Guest from 192.168.24.3 port 35854 ssh2
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 2 failures 1 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 3 failures 2 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 4 failures 3 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method keyboard-interactive [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: attempt 5 failures 4 [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: keyboard-interactive devs [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge: user=Guest devs= [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: kbdint_alloc: devices 'pam' [preauth]
May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
May 29 12:57:00 alice sshd[22753]: Postponed keyboard-interactive for invalid user Guest from 192.168.24.3 port 35854 ssh2 [preauth]
I get an invalid user... why he dont authenticate to samba 4 and check the users... whats wrong or missing?
I using sles 11 sp3 and sernet samba 4.1.7 last patch level...
Maybe ist a problem with pam and krb5 but i also installed the pam_krb5 modules and added them to the appropriate files in /etc/pam.d/
Is there anyone who can help`
Thanks
Sven
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
Gesendet: Sonntag, 25. Mai 2014 18:07
An: samba at lists.samba.org
Betreff: Re: [Samba] Samba 4 / Kerberos / ssh
On 25/05/14 12:56, Vogel, Sven wrote:
> I try to get Samba 4 with ssh running.
>
> I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line.
>
> ---
>
> kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]"
> "[:upper:]"`\$
>
> rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
> ---
>
> when i understand correct he uses the domain controller service
> principle to connect to the other domain controller. I know for that
> i need a working /etc/krb5.keytab
>
> e.g. i have two s4 dc's
>
> bob
> alice
>
> i have done the following. I want to connect from bob to alice with
> the service accounts
>
> I added to the following to both of the dcs
>
> sshd_config
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
>
> ssh_config
> GSSAPIAuthentication yes
> GSSAPIDelegationCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDNS yes
>
> After that i created the keytab i know i need an working ticket
>
> Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$
>
> I get the ticket with on bob for alice
>
> kinit -v -k -t /etc/krb5.keytab alice$
>
> after that i tryed to get an ssh connection to alice with (force
> gssapi connection)
>
> ssh -vvv -K alice\$@alice.example.local
>
> when i look in the logs i see always on alice the follwing error
> messages by alice
>
> "No principal in keytab matches the desired name"
>
> And
>
> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
> alice$ service ssh-connection method none [preauth] May 25 13:43:44
> alice sshd[29647]: debug1: attempt 0 failures 0 [preauth] May 25
> 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3 May
> 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file
> /var/log/btmp: No such file or directory May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth] May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$"
> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local"
> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh"
> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
> 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth] May
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
> 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth] May
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
> 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth] May
> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
> alice$ service ssh-connection method keyboard-interactive [preauth]
> May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3
> [preauth] May 25 13:43:44 alice sshd[29647]: debug1:
> keyboard-interactive devs [preauth] May 25 13:43:44 alice
> sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] May
> 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam'
> [preauth] May 25 13:43:44 alice sshd[29647]: debug1:
> auth2_challenge_start: trying authentication method 'pam' [preauth]
>
>
> I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem?
>
> Anyone have an idea?
>
> Sven
OK, I can connect from my second DC to my first DC via kerberos, try this:
On Server you want to connect to (FIRST DC, bob in your case):
nano /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIKeyExchange yes
GSSAPIStrictAcceptorCheck no
On Client (second DC, alice):
samba-tool domain exportkeytab /etc/krb5.keytab --principal=ALICE$
kinit -k -t /etc/krb5.keytab -c /tmp/krb5cc_ALICE$ ALICE$
ssh -K ALICE\$@alice.example.local
#################################################
On my system it led to this:
root at dc2:~# ssh -K DC1\$@dc1.example.local Creating directory '/home/DOMAIN/DC1$'.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Sun May 25 16:24:38 BST 2014
System load: 0.04 Processes: 141
Usage of /home: 0.0% of 119.75GB Users logged in: 1
Memory usage: 50% IP address for eth0: 192.168.0.5
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
DOMAIN\DC1dc1:~$ pwd
/home/DOMAIN/DC1$
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list