[Samba] ssh authentication with AD

L.P.H. van Belle belle at bazuin.nl
Wed Nov 4 08:44:02 UTC 2015 

Hai,  

Ok good to know that ( debian ) krb5-ssh, is in ubuntu libpam-krb5.
The debian packages also sets: 
GSSAPIAuthentication no 
To 
GSSAPIAuthentication yes

So here are all my kerberos settings from sshd_config. 
( it should work with only GSSAPIAuthentication ) 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes                # If your version supports this
GSSAPIStoreCredentialsOnRekey yes    # If your version supports this

Sorry, id username is not the right one. 
Try getent passwd username 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Rath
> Verzonden: woensdag 4 november 2015 9:35
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] ssh authentication with AD
> 
> Hi LPH & David,
> 
> Im also interested in using kerberos authentication and tried your
> hints. Im using Ubuntu 14.04.3 Server on this machine.
> 
> On 04.11.2015 08:52, L.P.H. van Belle wrote:
> > Ok, do the following.
> >
> > Remove all you modifications from pam so its back to original.
> >
> > apt-get install krb5-ssh
> > restart ssh, try again.
> 
> @LPH: krb5-ssh doesnt exist in Ubuntu:
> 
> # apt-get install krb5-ssh
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> E: Unable to locate package krb5-ssh
> 
> But maybe you mean libpam-krb5?
> 
> > Still not working?
> >
> > Now try correct pam.
> > Type : pam-auth-update
> > Select kerberos winbind and unix ( and keep other defaults as is )
> 
> I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
> installed it is shown.
> 
> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
> I see to select:
> 
> # Kerberos options
> #KerberosAuthentication no
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> 
> What should I enable from these?
> >
> > Type id username
> > You see a correct shell and correct and existing homedir?
> $ LANG=POSIX id oliver
> uid=1000(oliver) gid=1000(oliver)
> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpad
> min),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
> 
> Where should I see shell and homedir here?
> 
> Tfh!
> Oliver
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list