[Samba] Winbind, Kerberos, SSH and Single Sign On
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Thu Nov 2 08:56:40 UTC 2017
Hi,
thanks for your hints. DNS, /etc/resolf.conf, /ets/hosts seem to be
correct. I'm able to do a kerberized ssh with a user from
subdom2.subdom1.example.de (testuser at SUBDOM2.SUBDOM1.EXAMPLE.DE) But I'm
not able to do the same with a user from example.de (user1 at EXAMPLE.DE).
--
Regards,
Andreas
Am 01.11.2017 um 10:51 schrieb L.P.H. van Belle via samba:
> I can suggest a few things.
>
> krb5.conf ( if you use nfsv4 with kerberized mounts _
> [libdefaults]
> ignore_k5login = true in
>
> But, it does not look like it in you logs your useing kerberized mounts.
>
>
> Im missing in SSHD_config :
> UseDNS yes
>
> And the defaults :
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> Are sufficient for a normal ssh kerberized login.
>
> Optional, depending on the use of your server, and if you SSH supports it.
> ( use man sshd_config to look the up )
> GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
> GSSAPIStoreCredentialsOnRekey yes
>
> I assume, that, server and client do have A and PTR records AND both servers have nfs/FQDN at REALM in the keytab.
>
> Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114
> That looks to me the UseDNS yes, may solve it if its keytab/resolving related.
> If not, then i would try first to change the winbind separator
> winbind separator = + to \ ( and correct krb5.conf also )
>
> I cant recall where i did read that, but that may solv it also.
>
> If these did not fix it, post the following please.
> You OS and samba version.
> cat /etc/resolv.conf
> cat /etc/hosts
> dig -x server_ip
> dig -x client_ip
>
> What i do on debian, is the following.
> Setup samba ( my configs, see my github howtos (github.com/thctlo/samba4 )
> apt-get install ssh-krb5
> pam-auth-update
>
> And i can use sso logins.
>
> So try above, and report back.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Andreas Hauffe via samba
>> Verzonden: woensdag 1 november 2017 9:59
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Winbind, Kerberos, SSH and Single Sign On
>>
>> Hi,
>>
>> at first I'm not sure if this is the correct list to ask this
>> question.
>> But since I'm using winbind I hope you can help me.
>>
>> I try to realize a kerberized ssh from one client to another. Both
>> clients are member of subdom2.subdom1.example.de and joined
>> to it. The
>> users are from example.de, where subdom1.example.de is a subdomain
>> (bidirectional trust) of example.de and
>> subdom2.subdom1.example.de is a
>> subdomain (bidirectional trust) of subdom1.example.de.
>>
>> When I try to ssh to a client I'm getting the service ticket for the
>> client. But it still prompts the password question.
>>
>> On the ssh-client side I'm getting the following SSH debug
>> information:
>>
>> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
>> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
>> debug1: Reading configuration data /home/user1/.ssh/config
>> debug1: /home/user1/.ssh/config line 17: Applying options for *
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 25: Applying options for *
>> debug2: resolving "computer1" port 22
>> debug2: ssh_connect_direct: needpriv 0
>> debug1: Connecting to computer1 [141.30.156.36] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/user1/.ssh/id_rsa type 1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_dsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_ecdsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_ed25519 type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_7.2
>> debug1: Remote protocol version 2.0, remote software version
>> OpenSSH_7.2
>> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: Authenticating to computer1:22 as 'EXAMPLE+user1'
>> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /home/user1/.ssh/known_hosts:60
>> debug3: load_hostkeys: loaded 1 keys from computer1
>> debug3: order_hostkeyalgs: prefer hostkeyalgs:
>> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c
>> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e
>> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>> debug3: send packet: type 20
>> debug1: SSH2_MSG_KEXINIT sent
>> debug3: receive packet: type 20
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: local client KEXINIT proposal
>> debug2: KEX algorithms:
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist
>> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
>> ext-info-c
>> debug2: host key algorithms:
>> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c
>> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e
>> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh
>> -ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh
>> -dss-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-25
>> 6,ssh-rsa,ssh-dss
>> debug2: ciphers ctos:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1
>> 92-cbc,aes256-cbc,3des-cbc
>> debug2: ciphers stoc:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1
>> 92-cbc,aes256-cbc,3des-cbc
>> debug2: MACs ctos:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: MACs stoc:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: compression ctos: none,zlib at openssh.com
>> debug2: compression stoc: none,zlib at openssh.com
>> debug2: languages ctos:
>> debug2: languages stoc:
>> debug2: first_kex_follows 0
>> debug2: reserved 0
>> debug2: peer server KEXINIT proposal
>> debug2: KEX algorithms:
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist
>> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>> iffie-hellman-group14-sha1
>> debug2: host key algorithms:
>> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
>> ssh-ed25519
>> debug2: ciphers ctos:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com
>> debug2: ciphers stoc:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com
>> debug2: MACs ctos:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: MACs stoc:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: compression ctos: none,zlib at openssh.com
>> debug2: compression stoc: none,zlib at openssh.com
>> debug2: languages ctos:
>> debug2: languages stoc:
>> debug2: first_kex_follows 0
>> debug2: reserved 0
>> debug1: kex: algorithm: curve25519-sha256 at libssh.org
>> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
>> debug1: kex: server->client cipher:
>> chacha20-poly1305 at openssh.com MAC:
>> <implicit> compression: none
>> debug1: kex: client->server cipher:
>> chacha20-poly1305 at openssh.com MAC:
>> <implicit> compression: none
>> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
>> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
>> debug3: send packet: type 30
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug3: receive packet: type 31
>> debug1: Server host key: ecdsa-sha2-nistp256
>> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
>> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /home/user1/.ssh/known_hosts:60
>> debug3: load_hostkeys: loaded 1 keys from computer1
>> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /home/user1/.ssh/known_hosts:59
>> debug3: load_hostkeys: loaded 1 keys from 141.30.156.36
>> debug1: Host 'computer1' is known and matches the ECDSA host key.
>> debug1: Found key in /home/user1/.ssh/known_hosts:60
>> debug3: send packet: type 21
>> debug2: set_newkeys: mode 1
>> debug1: rekey after 134217728 blocks
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug3: receive packet: type 21
>> debug2: set_newkeys: mode 0
>> debug1: rekey after 134217728 blocks
>> debug1: SSH2_MSG_NEWKEYS received
>> debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent
>> debug2: key: /home/user1/.ssh/id_dsa ((nil))
>> debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
>> debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
>> debug3: send packet: type 5
>> debug3: receive packet: type 7
>> debug1: SSH2_MSG_EXT_INFO received
>> debug1: kex_input_ext_info:
>> server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
>> debug3: receive packet: type 6
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug3: send packet: type 50
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> debug3: start over, passed a different list
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> debug3: preferred
>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
>> debug3: authmethod_lookup gssapi-keyex
>> debug3: remaining preferred:
>> gssapi-with-mic,publickey,keyboard-interactive,password
>> debug3: authmethod_is_enabled gssapi-keyex
>> debug1: Next authentication method: gssapi-keyex
>> debug1: No valid Key exchange context
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup gssapi-with-mic
>> debug3: remaining preferred: publickey,keyboard-interactive,password
>> debug3: authmethod_is_enabled gssapi-with-mic
>> debug1: Next authentication method: gssapi-with-mic
>> debug3: Trying to reverse map address 141.30.156.36.
>> [6355] 1509525451.837186: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.837196: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.837202: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.837219: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.837375: ccselect can't find appropriate cache for
>> server principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.837411: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.837451: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.837493: Creating authenticator for
>> user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
>> seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72
>> debug3: send packet: type 50
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug3: receive packet: type 60
>> debug1: Delegating credentials
>> [6355] 1509525451.838235: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.838244: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.838248: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.838269: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.838406: ccselect can't find appropriate cache for
>> server principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.838431: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.838457: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.838506: Retrieving user1 at EXAMPLE.DE ->
>> krbtgt/EXAMPLE.DE at EXAMPLE.DE from FILE:/tmp/krb5cc_103321
>> with result:
>> 0/Success
>> [6355] 1509525451.838542: Get cred via TGT
>> krbtgt/EXAMPLE.DE at EXAMPLE.DE
>> after requesting krbtgt/EXAMPLE.DE at EXAMPLE.DE (canonicalize off)
>> [6355] 1509525451.838552: Generated subkey for TGS request:
>> aes256-cts/6A11
>> [6355] 1509525451.838577: etypes requested in TGS request: aes256-cts
>> [6355] 1509525451.838619: Encoding request body and padata
>> into FAST request
>> [6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE
>> [6355] 1509525451.839682: Resolving hostname domdc8.example.de.
>> [6355] 1509525451.839691: Resolving hostname domdc6.example.de.
>> [6355] 1509525451.839694: Resolving hostname domdc7.example.de.
>> [6355] 1509525451.839697: Resolving hostname domdc5.example.de.
>> [6355] 1509525451.839699: Resolving hostname domdc8.example.de.
>> [6355] 1509525451.839711: Initiating TCP connection to stream
>> 172.26.40.8:88
>> [6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88
>> [6355] 1509525451.842021: Received answer (2706 bytes) from stream
>> 172.26.40.8:88
>> [6355] 1509525451.842449: Response was not from master KDC
>> [6355] 1509525451.842459: Decoding FAST response
>> [6355] 1509525451.842515: FAST reply key: aes256-cts/4A19
>> [6355] 1509525451.842535: TGS reply is for user1 at EXAMPLE.DE ->
>> krbtgt/EXAMPLE.DE at EXAMPLE.DE with session key aes256-cts/4A0D
>> [6355] 1509525451.842549: Got cred; 0/Success
>> [6355] 1509525451.842596: Creating authenticator for
>> user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
>> seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72
>> debug3: send packet: type 61
>> debug3: receive packet: type 61
>> debug1: Delegating credentials
>> [6355] 1509525451.848142: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.848152: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.848156: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.848166: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey
>> aes256-cts/5EEA, seqnum 91190375
>> debug3: send packet: type 66
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> [6355] 1509525451.849839: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.849848: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.849853: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.849864: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.849970: ccselect can't find appropriate cache for
>> server principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.849995: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.850020: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.850048: Creating authenticator for
>> user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
>> seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72
>> debug3: send packet: type 50
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> [6355] 1509525451.850462: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.850467: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.850470: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.850476: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.850547: ccselect can't find appropriate cache for
>> server principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.850569: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.850591: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.850611: Creating authenticator for
>> user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
>> seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72
>> debug3: send packet: type 50
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> [6355] 1509525451.851143: Convert service host (service with host as
>> instance) on host computer1.subdom2.subdom1.example.de to principal
>> [6355] 1509525451.851147: Remote host after forward canonicalization:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.851150: Remote host after reverse DNS processing:
>> computer1.subdom2.subdom1.example.de
>> [6355] 1509525451.851156: Got service principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.851226: ccselect can't find appropriate cache for
>> server principal
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> [6355] 1509525451.851284: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.851306: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.851336: Getting credentials user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> using ccache FILE:/tmp/krb5cc_103321
>> [6355] 1509525451.851355: Retrieving user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
>> from FILE:/tmp/krb5cc_103321 with result: 0/Success
>> [6355] 1509525451.851374: Creating authenticator for
>> user1 at EXAMPLE.DE ->
>> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
>> seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72
>> debug3: send packet: type 50
>> debug2: we sent a gssapi-with-mic packet, wait for reply
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup publickey
>> debug3: remaining preferred: keyboard-interactive,password
>> debug3: authmethod_is_enabled publickey
>> debug1: Next authentication method: publickey
>> debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
>> debug3: send_pubkey_test
>> debug3: send packet: type 50
>> debug2: we sent a publickey packet, wait for reply
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
>> debug1: Trying private key: /home/user1/.ssh/id_dsa
>> debug3: no such identity: /home/user1/.ssh/id_dsa: No such
>> file or directory
>> debug1: Trying private key: /home/user1/.ssh/id_ecdsa
>> debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or
>> directory
>> debug1: Trying private key: /home/user1/.ssh/id_ed25519
>> debug3: no such identity: /home/user1/.ssh/id_ed25519: No
>> such file or
>> directory
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup keyboard-interactive
>> debug3: remaining preferred: password
>> debug3: authmethod_is_enabled keyboard-interactive
>> debug1: Next authentication method: keyboard-interactive
>> debug2: userauth_kbdint
>> debug3: send packet: type 50
>> debug2: we sent a keyboard-interactive packet, wait for reply
>> debug3: receive packet: type 60
>> debug2: input_userauth_info_req
>> debug2: input_userauth_info_req: num_prompts 1
>> Password:
>>
>> On the sshd-server side:
>>
>> debug2: load_server_config: filename /etc/ssh/sshd_config
>> debug2: load_server_config: done config len = 530
>> debug2: parse_server_config: config /etc/ssh/sshd_config len 530
>> debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile
>> .ssh/authorized_keys
>> debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no
>> debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes
>> debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes
>> debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
>> debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
>> debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no
>> debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp
>> /usr/lib/ssh/sftp-server
>> debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE
>> LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
>> debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME
>> LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
>> debug3: /etc/ssh/sshd_config:139 setting AcceptEnv
>> LC_IDENTIFICATION LC_ALL
>> debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016
>> debug1: private host key #0: ssh-rsa
>> SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM
>> debug1: private host key #1: ssh-dss
>> SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU
>> debug1: private host key #2: ecdsa-sha2-nistp256
>> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
>> debug1: private host key #3: ssh-ed25519
>> SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc
>> debug1: rexec_argv[0]='/usr/sbin/sshd'
>> debug1: rexec_argv[1]='-ddd'
>> debug1: rexec_argv[2]='-p'
>> debug1: rexec_argv[3]='2233'
>> debug3: oom_adjust_setup
>> debug1: Set /proc/self/oom_score_adj from 0 to -1000
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: Bind to port 2233 on 0.0.0.0.
>> Server listening on 0.0.0.0 port 2233.
>> debug2: fd 4 setting O_NONBLOCK
>> debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
>> debug1: Bind to port 2233 on ::.
>> Server listening on :: port 2233.
>> debug3: fd 5 is not O_NONBLOCK
>> debug1: Server will not fork when running in debugging mode.
>> debug3: send_rexec_state: entering fd = 8 config len 530
>> debug3: ssh_msg_send: type 0
>> debug3: send_rexec_state: done
>> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
>> debug1: inetd sockets after dupping: 3, 3
>> Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233
>> debug1: Client protocol version 2.0; client software version
>> OpenSSH_7.2
>> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_7.2
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: list_hostkey_types:
>> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
>> ssh-ed25519
>> debug3: send packet: type 20
>> debug1: SSH2_MSG_KEXINIT sent
>> debug3: receive packet: type 20
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: local server KEXINIT proposal
>> debug2: KEX algorithms:
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist
>> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>> iffie-hellman-group14-sha1
>> debug2: host key algorithms:
>> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
>> ssh-ed25519
>> debug2: ciphers ctos:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com
>> debug2: ciphers stoc:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com
>> debug2: MACs ctos:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: MACs stoc:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: compression ctos: none,zlib at openssh.com
>> debug2: compression stoc: none,zlib at openssh.com
>> debug2: languages ctos:
>> debug2: languages stoc:
>> debug2: first_kex_follows 0
>> debug2: reserved 0
>> debug2: peer client KEXINIT proposal
>> debug2: KEX algorithms:
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist
>> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
>> ext-info-c
>> debug2: host key algorithms:
>> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c
>> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,s
>> sh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,s
>> sh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nis
>> tp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-25
>> 6,ssh-rsa,ssh-dss
>> debug2: ciphers ctos:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1
>> 92-cbc,aes256-cbc,3des-cbc
>> debug2: ciphers stoc:
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
>> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1
>> 92-cbc,aes256-cbc,3des-cbc
>> debug2: MACs ctos:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: MACs stoc:
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256
>> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o
>> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-
>> 256,hmac-sha2-512,hmac-sha1
>> debug2: compression ctos: none,zlib at openssh.com
>> debug2: compression stoc: none,zlib at openssh.com
>> debug2: languages ctos:
>> debug2: languages stoc:
>> debug2: first_kex_follows 0
>> debug2: reserved 0
>> debug1: kex: algorithm: curve25519-sha256 at libssh.org
>> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
>> debug1: kex: client->server cipher:
>> chacha20-poly1305 at openssh.com MAC:
>> <implicit> compression: none
>> debug1: kex: server->client cipher:
>> chacha20-poly1305 at openssh.com MAC:
>> <implicit> compression: none
>> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
>> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
>> debug1: expecting SSH2_MSG_KEX_ECDH_INIT
>> debug3: receive packet: type 30
>> debug3: send packet: type 31
>> debug3: send packet: type 21
>> debug2: set_newkeys: mode 1
>> debug1: rekey after 134217728 blocks
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug3: send packet: type 7
>> debug3: receive packet: type 21
>> debug2: set_newkeys: mode 0
>> debug1: rekey after 134217728 blocks
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: KEX done
>> debug3: receive packet: type 5
>> debug3: send packet: type 6
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method none
>> debug1: attempt 0 failures 0
>> debug2: parse_server_config: config reprocess config len 530
>> debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1
>> debug1: PAM: initializing for "EXAMPLE+user1"
>> debug1: PAM: setting PAM_RHOST to "141.30.156.114"
>> debug1: PAM: setting PAM_TTY to "ssh"
>> debug2: input_userauth_request: try method none
>> Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method gssapi-with-mic
>> debug1: attempt 1 failures 0
>> debug2: input_userauth_request: try method gssapi-with-mic
>> debug3: send packet: type 60
>> Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port
>> 45018 ssh2
>> debug3: receive packet: type 61
>> debug1: Received some client credentials
>> debug3: send packet: type 61
>> debug3: receive packet: type 66
>> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114
>> port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method gssapi-with-mic
>> debug1: attempt 2 failures 1
>> debug2: input_userauth_request: try method gssapi-with-mic
>> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114
>> port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method gssapi-with-mic
>> debug1: attempt 3 failures 1
>> debug2: input_userauth_request: try method gssapi-with-mic
>> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114
>> port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method gssapi-with-mic
>> debug1: attempt 4 failures 1
>> debug2: input_userauth_request: try method gssapi-with-mic
>> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114
>> port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method publickey
>> debug1: attempt 5 failures 1
>> debug2: input_userauth_request: try method publickey
>> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
>> RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8
>> debug1: temporarily_use_uid: 103321/10513 (e=0/0)
>> debug1: trying public key file /home/user1/.ssh/authorized_keys
>> debug1: Could not open authorized keys
>> '/home/user1/.ssh/authorized_keys': No such file or directory
>> debug1: restore_uid: 0/0
>> debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512
>> Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
>> debug3: userauth_finish: failure partial=0 next
>> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
>> debug3: send packet: type 51
>> debug3: receive packet: type 50
>> debug1: userauth-request for user EXAMPLE+user1 service
>> ssh-connection
>> method keyboard-interactive
>> debug1: attempt 6 failures 2
>> debug2: input_userauth_request: try method keyboard-interactive
>> debug1: keyboard-interactive devs
>> debug1: auth2_challenge: user=EXAMPLE+user1 devs=
>> debug1: kbdint_alloc: devices 'pam'
>> debug2: auth2_challenge_start: devices pam
>> debug2: kbdint_next_device: devices <empty>
>> debug1: auth2_challenge_start: trying authentication method 'pam'
>> debug3: PAM: sshpam_init_ctx entering
>> debug3: PAM: sshpam_query entering
>> debug3: ssh_msg_recv entering
>> debug3: PAM: sshpam_thread_conv entering, 1 messages
>> debug3: ssh_msg_send: type 1
>> debug3: ssh_msg_recv entering
>> debug3: send packet: type 60
>> Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114
>> port 45018 ssh2
>>
>>
>> smb.conf:
>>
>> [global]
>>
>> netbios name = computer1
>> security = ADS
>> workgroup = SUBDOM2
>> realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>>
>> winbind separator = +
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-2999
>> idmap config SUBDOM2 : backend = rid
>> idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW
>> idmap config EXAMPLE : backend = rid
>> idmap config EXAMPLE : range = 10000-9999999 # UID aus
>> RID fuer DOM
>>
>>
>> krb5.conf:
>>
>> [libdefaults]
>> default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> EXAMPLE.DE = {
>> auth_to_local = RULE:[1:EXAMPLE+$1]
>> }
>> SUBDOM1.EXAMPLE.DE = {
>> auth_to_local = RULE:[1:SUBDOM1+$1]
>> }
>> SUBDOM2.SUBDOM1.EXAMPLE.DE = {
>> auth_to_local = RULE:[1:SUBDOM2+$1]
>> }
>>
>> [domain_realm]
>> .subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
>> subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
>> .subdom1.example.de = SUBDOM1.EXAMPLE.DE
>> subdom1.example.de = SUBDOM1.EXAMPLE.DE
>> .example.de = EXAMPLE.DE
>> example.de = EXAMPLE.DE
>>
>> [capaths]
>> SUBDOM2.SUBDOM1.EXAMPLE.DE = {
>> SUBDOM1.EXAMPLE.DE = .
>> EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
>> }
>> SUBDOM1.EXAMPLE.DE = {
>> SUBDOM2.SUBDOM1.EXAMPLE.DE = .
>> EXAMPLE.DE = .
>> }
>> EXAMPLE.DE = {
>> SUBDOM1.EXAMPLE.DE = .
>> SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
>> }
>>
>> [logging]
>> kdc = FILE:/var/log/krb5/krb5kdc.log
>> admin_server = FILE:/var/log/krb5/kadmind.log
>> default = SYSLOG:DEBUG:DAEMON
>>
>> sshd_config:
>>
>> AuthorizedKeysFile .ssh/authorized_keys
>> PasswordAuthentication no
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>> X11Forwarding yes
>> Subsystem sftp /usr/lib/ssh/sftp-server
>> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
>> LC_MESSAGES
>> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
>> AcceptEnv LC_IDENTIFICATION LC_ALL
>>
>> --
>> Regards,
>> Andreas
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list