[Samba] Samba4 SSH SSSD-AD Problem
Rowland Penny
rowlandpenny at googlemail.com
Thu Feb 26 08:40:43 MST 2015
On 26/02/15 15:21, Andreas Hauffe wrote:
> Hi,
>
> I'm having a problem with ssh and sssd in a samba4 ad environment.
>
> If I logon a linux client everything works fine. When entering klist I'm able
> to see my ticket. When I try to connect/logon to another linux client with ssh
> it is possible, but klist shows:
> klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found.
>
> So the ticket cache is not created during logon.
>
> I'm using sssd with the following sssd.conf:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = $DOMAINNAME$
>
> [nss]
>
> [pam]
>
> [domain/$DOMAINNAME$]
> id_provider = ad
> access_provider = ad
> ldap_id_mapping=false
> krb5_keytab=/etc/krb5.keytab
>
> And sshd with to following sshd_config:
>
> AuthorizedKeysFile .ssh/authorized_keys
> PasswordAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> GSSAPIStrictAcceptorCheck no
> GSSAPIStoreCredentialsOnRekey yes
> UsePAM yes
> X11Forwarding yes
> UseDNS no
> Subsystem sftp /usr/lib/ssh/sftp-server
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
> /etc/pam.d/sshd directs to the default pam.d configurations.
>
Hi, neither 'ssh' or 'sssd' have anything to do with samba, but just a
hint, remove 'UseDNS no', kerberos depends on dns. If this doesn't work,
you may get more help on the sssd mailing list.
Rowland
More information about the samba
mailing list