[Samba] Samba 4 / Kerberos / ssh

Vogel, Sven Sven.Vogel at kupper-computer.com
Thu May 29 17:22:38 MDT 2014 

Hi Steve, Hi Rowland,

@Steve

When i use Id I get the correct value back e.g.

uid=3000014(EXAMPLE\Guest) gid=3000015(EXAMPLE\Domain Guests) groups=3000015(EXAMPLE\Domain Guests)

@Rowland

Yes I get also a password prompt... normally it should not...

there are other ideas? Is it a Pam problem?

Thanks

Sven

Am 29.05.2014 16:56 schrieb Rowland Penny <rowlandpenny at googlemail.com>:
On 29/05/14 12:05, Vogel, Sven wrote:
> Hi Steve, Hi Roland,
>
> so tryed many different things.
>
> 1. i create an keytab alice$ (works)
>
> Samba-tool domain exportkeytab /etc/krb5.keytab -principal=ALICE$
>
> 2. i changed sshd_config to your suggestions...
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials no
> GSSAPIKeyExchange yes
> GSSAPIStrictAcceptorCheck no
>
> 3. i got an ticket on BOB$ with (works)
>
> kinit -v -k -t /etc/krb5.keytab ALICE$
>
> after these changes i bot the following error
>
> May 29 12:41:43 alice sshd[22664]: debug1: Unspecified GSS failure.  Minor code may provide more information\nNo such file or directory\n
> May 29 12:41:43 alice sshd[22664]: debug1: Got no client credentials
> May 29 12:41:43 alice sshd[22664]: fatal: Zero length token output when incomplete [preauth]
>
> I found out i need an ssh service kerberos prinicpal
>
> After that i added the following to the krb5.keytab to ALICE because the ssh service needs to authenticate to kerberos
>
> kinit -v -k -t /etc/krb5.keytab host/alice.example.com
>
> 4. After that i tryed it again with different users e.g. the service account ALICE$ and Guest Account but i get the following error
>
> May 29 12:57:00 alice sshd[22753]: input_userauth_request: invalid user Guest [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: PAM: initializing for "Guest"
> May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_RHOST to "alice2.swi.local"
> May 29 12:57:00 alice sshd[22753]: debug1: PAM: setting PAM_TTY to "ssh"
> May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-keyex [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: attempt 1 failures 0 [preauth]
> May 29 12:57:00 alice sshd[22753]: Failed gssapi-with-mic for invalid user Guest from 192.168.24.3 port 35854 ssh2
> May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: attempt 2 failures 1 [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: attempt 3 failures 2 [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method gssapi-with-mic [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: attempt 4 failures 3 [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: userauth-request for user Guest service ssh-connection method keyboard-interactive [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: attempt 5 failures 4 [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: keyboard-interactive devs  [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge: user=Guest devs= [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: kbdint_alloc: devices 'pam' [preauth]
> May 29 12:57:00 alice sshd[22753]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
> May 29 12:57:00 alice sshd[22753]: Postponed keyboard-interactive for invalid user Guest from 192.168.24.3 port 35854 ssh2 [preauth]
>
>
> I get an invalid user... why he dont authenticate to samba 4 and check the users... whats wrong or missing?
>
> I using sles 11 sp3 and sernet samba 4.1.7 last patch level...
>
> Maybe ist a problem with pam and krb5 but i also installed the pam_krb5 modules and added them to the appropriate files in /etc/pam.d/
>
> Is there anyone who can help`
>
> Thanks
>
> Sven
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Sonntag, 25. Mai 2014 18:07
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4 / Kerberos / ssh
>
> On 25/05/14 12:56, Vogel, Sven wrote:
>> I try to get Samba 4 with ssh running.
>>
>> I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line.
>>
>> ---
>>
>> kinit -k -t /etc/krb5.keytab  `hostname -s | tr "[:lower:]"
>> "[:upper:]"`\$
>>
>> rsync  -X -u -a  $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
>> ---
>>
>> when i understand correct he uses the domain controller service
>> principle to connect to the other domain controller. I know for  that
>> i need a working /etc/krb5.keytab
>>
>> e.g. i have two s4 dc's
>>
>> bob
>> alice
>>
>> i have done the following. I want to connect from bob to alice with
>> the service accounts
>>
>> I added to  the following to both of the dcs
>>
>> sshd_config
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> GSSAPIStrictAcceptorCheck yes
>> GSSAPIKeyExchange yes
>>
>> ssh_config
>> GSSAPIAuthentication yes
>> GSSAPIDelegationCredentials yes
>> GSSAPIKeyExchange yes
>> GSSAPITrustDNS yes
>>
>> After that i created the keytab i know i need an working ticket
>>
>> Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$
>>
>> I get the ticket with on bob for alice
>>
>> kinit -v -k -t /etc/krb5.keytab alice$
>>
>> after that i tryed to get an ssh connection to alice with (force
>> gssapi connection)
>>
>> ssh -vvv -K alice\$@alice.example.local
>>
>> when i look in the logs i see always on alice the follwing error
>> messages by alice
>>
>> "No principal in keytab matches the desired name"
>>
>> And
>>
>> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
>> alice$ service ssh-connection method none [preauth] May 25 13:43:44
>> alice sshd[29647]: debug1: attempt 0 failures 0 [preauth] May 25
>> 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3 May
>> 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file
>> /var/log/btmp: No such file or directory May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth] May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$"
>> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local"
>> May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh"
>> May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
>> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
>> 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth] May
>> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
>> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
>> 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth] May
>> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
>> alice$ service ssh-connection method gssapi-with-mic [preauth] May 25
>> 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth] May
>> 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user
>> alice$ service ssh-connection method keyboard-interactive [preauth]
>> May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3
>> [preauth] May 25 13:43:44 alice sshd[29647]: debug1:
>> keyboard-interactive devs  [preauth] May 25 13:43:44 alice
>> sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] May
>> 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam'
>> [preauth] May 25 13:43:44 alice sshd[29647]: debug1:
>> auth2_challenge_start: trying authentication method 'pam' [preauth]
>>
>>
>> I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem?
>>
>> Anyone have an idea?
>>
>> Sven
> OK, I can connect from my second DC to my first DC via kerberos, try this:
>
> On Server you want to connect to (FIRST DC, bob in your case):
>
> nano /etc/ssh/sshd_config:
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials no
> GSSAPIKeyExchange yes
> GSSAPIStrictAcceptorCheck no
>
> On Client (second DC, alice):
>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=ALICE$
>
> kinit -k -t /etc/krb5.keytab -c /tmp/krb5cc_ALICE$ ALICE$
>
> ssh -K ALICE\$@alice.example.local
>
> #################################################
>
> On my system it led to this:
>
> root at dc2:~# ssh -K DC1\$@dc1.example.local Creating directory '/home/DOMAIN/DC1$'.
> Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
>
>    * Documentation:  https://help.ubuntu.com/
>
>     System information as of Sun May 25 16:24:38 BST 2014
>
>     System load:    0.04               Processes:           141
>     Usage of /home: 0.0% of 119.75GB   Users logged in:     1
>     Memory usage:   50%                IP address for eth0: 192.168.0.5
>     Swap usage:     0%
>
>     Graph this data and manage this system at:
>       https://landscape.canonical.com/
>
> 0 packages can be updated.
> 0 updates are security updates.
>
>
> The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
>
> Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
>
> DOMAIN\DC1dc1:~$ pwd
> /home/DOMAIN/DC1$
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Excuse me while I go slightly mad.

AAAGGGGHHHHH

That's better ;-)

Well I thought it worked, in fact it did work, but now it would seem
that it will only work one way.

if I do this:

ssh -v -K dc2\$@dc1.example.com

Amongst the output is this:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: Authentication succeeded (gssapi-keyex).
Authenticated to dc1.example.com ([192.168.0.5]:22).

and I get logged into dc1 from dc2, but going the other way:

ssh -v -K DC1\$@dc2.example.com (and yes, I tried it with a lowercase dc1)

amongst the output I get this:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
DC1$@dc2.example.com's password:

As you can see, I get asked for a password, this is driving me mad, as
far as I can see the two DC's are setup similarly but it just doesn't
work both ways, so I am going to walk away from this for a short while
and then come back to it.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list