[Samba] Winbind, Kerberos, SSH and Single Sign On
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Wed Nov 1 08:59:02 UTC 2017
Hi,
at first I'm not sure if this is the correct list to ask this question.
But since I'm using winbind I hope you can help me.
I try to realize a kerberized ssh from one client to another. Both
clients are member of subdom2.subdom1.example.de and joined to it. The
users are from example.de, where subdom1.example.de is a subdomain
(bidirectional trust) of example.de and subdom2.subdom1.example.de is a
subdomain (bidirectional trust) of subdom1.example.de.
When I try to ssh to a client I'm getting the service ticket for the
client. But it still prompts the password question.
On the ssh-client side I'm getting the following SSH debug information:
...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug2: resolving "computer1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to computer1 [141.30.156.36] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to computer1:22 as 'EXAMPLE+user1'
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:59
debug3: load_hostkeys: loaded 1 keys from 141.30.156.36
debug1: Host 'computer1' is known and matches the ECDSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:60
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent
debug2: key: /home/user1/.ssh/id_dsa ((nil))
debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 141.30.156.36.
[6355] 1509525451.837186: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.837196: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.837202: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.837219: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.837375: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.837411: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.837451: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.837493: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 60
debug1: Delegating credentials
[6355] 1509525451.838235: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.838244: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.838248: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.838269: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.838406: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.838431: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.838457: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.838506: Retrieving user1 at EXAMPLE.DE ->
krbtgt/EXAMPLE.DE at EXAMPLE.DE from FILE:/tmp/krb5cc_103321 with result:
0/Success
[6355] 1509525451.838542: Get cred via TGT krbtgt/EXAMPLE.DE at EXAMPLE.DE
after requesting krbtgt/EXAMPLE.DE at EXAMPLE.DE (canonicalize off)
[6355] 1509525451.838552: Generated subkey for TGS request: aes256-cts/6A11
[6355] 1509525451.838577: etypes requested in TGS request: aes256-cts
[6355] 1509525451.838619: Encoding request body and padata into FAST request
[6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE
[6355] 1509525451.839682: Resolving hostname domdc8.example.de.
[6355] 1509525451.839691: Resolving hostname domdc6.example.de.
[6355] 1509525451.839694: Resolving hostname domdc7.example.de.
[6355] 1509525451.839697: Resolving hostname domdc5.example.de.
[6355] 1509525451.839699: Resolving hostname domdc8.example.de.
[6355] 1509525451.839711: Initiating TCP connection to stream 172.26.40.8:88
[6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88
[6355] 1509525451.842021: Received answer (2706 bytes) from stream
172.26.40.8:88
[6355] 1509525451.842449: Response was not from master KDC
[6355] 1509525451.842459: Decoding FAST response
[6355] 1509525451.842515: FAST reply key: aes256-cts/4A19
[6355] 1509525451.842535: TGS reply is for user1 at EXAMPLE.DE ->
krbtgt/EXAMPLE.DE at EXAMPLE.DE with session key aes256-cts/4A0D
[6355] 1509525451.842549: Got cred; 0/Success
[6355] 1509525451.842596: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72
debug3: send packet: type 61
debug3: receive packet: type 61
debug1: Delegating credentials
[6355] 1509525451.848142: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.848152: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.848156: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.848166: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey
aes256-cts/5EEA, seqnum 91190375
debug3: send packet: type 66
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.849839: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.849848: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.849853: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.849864: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.849970: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.849995: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.850020: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.850048: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.850462: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.850467: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.850470: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.850476: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.850547: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.850569: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.850591: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.850611: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.851143: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.851147: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.851150: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.851156: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.851226: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.851284: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.851306: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.851336: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.851355: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.851374: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug3: no such identity: /home/user1/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or
directory
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug3: no such identity: /home/user1/.ssh/id_ed25519: No such file or
directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
On the sshd-server side:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 530
debug2: parse_server_config: config /etc/ssh/sshd_config len 530
debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no
debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp
/usr/lib/ssh/sftp-server
debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE
LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME
LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:139 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: private host key #0: ssh-rsa
SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM
debug1: private host key #1: ssh-dss
SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
debug1: private host key #3: ssh-ed25519
SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2233'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2233 on 0.0.0.0.
Server listening on 0.0.0.0 port 2233.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 2233 on ::.
Server listening on :: port 2233.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 530
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233
debug1: Client protocol version 2.0; client software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug3: receive packet: type 30
debug3: send packet: type 31
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: send packet: type 7
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: receive packet: type 5
debug3: send packet: type 6
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 530
debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1
debug1: PAM: initializing for "EXAMPLE+user1"
debug1: PAM: setting PAM_RHOST to "141.30.156.114"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: send packet: type 60
Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port
45018 ssh2
debug3: receive packet: type 61
debug1: Received some client credentials
debug3: send packet: type 61
debug3: receive packet: type 66
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 4 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method publickey
debug1: attempt 5 failures 1
debug2: input_userauth_request: try method publickey
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8
debug1: temporarily_use_uid: 103321/10513 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: Could not open authorized keys
'/home/user1/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512
Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method keyboard-interactive
debug1: attempt 6 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=EXAMPLE+user1 devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: send packet: type 60
Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114
port 45018 ssh2
smb.conf:
[global]
netbios name = computer1
security = ADS
workgroup = SUBDOM2
realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config SUBDOM2 : backend = rid
idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-9999999 # UID aus RID fuer DOM
krb5.conf:
[libdefaults]
default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.DE = {
auth_to_local = RULE:[1:EXAMPLE+$1]
}
SUBDOM1.EXAMPLE.DE = {
auth_to_local = RULE:[1:SUBDOM1+$1]
}
SUBDOM2.SUBDOM1.EXAMPLE.DE = {
auth_to_local = RULE:[1:SUBDOM2+$1]
}
[domain_realm]
.subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
.subdom1.example.de = SUBDOM1.EXAMPLE.DE
subdom1.example.de = SUBDOM1.EXAMPLE.DE
.example.de = EXAMPLE.DE
example.de = EXAMPLE.DE
[capaths]
SUBDOM2.SUBDOM1.EXAMPLE.DE = {
SUBDOM1.EXAMPLE.DE = .
EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
}
SUBDOM1.EXAMPLE.DE = {
SUBDOM2.SUBDOM1.EXAMPLE.DE = .
EXAMPLE.DE = .
}
EXAMPLE.DE = {
SUBDOM1.EXAMPLE.DE = .
SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:DEBUG:DAEMON
sshd_config:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
--
Regards,
Andreas
More information about the samba
mailing list