[Samba] Kerberos S4U token with SAMBA4
Taylor Hammerling
thammerling at tcsbasys.com
Tue Jun 12 13:18:58 UTC 2018
Norbert - I should mention that I have tested this setup using an actual
windows 2008r2 domain controller, using public key authentication and it
worked perfectly.
Rowland - I'm not 100% sure where the user 'root' came from. it is
possible it is something from back when we were using TKL's implementation
of SAMBA, or it could be that I created the user. Can't rightly remember
it was a year and a half ago.
I have tried with an actual domain user (IE, me) and it did not work either.
On Tue, Jun 12, 2018 at 2:28 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 12 Jun 2018 08:28:10 +0200
> Norbert Hanke via samba <samba at lists.samba.org> wrote:
>
> > Hi Taylor
> >
> > That's not hard to explain:
> >
> > The login to a local account is under the control of sshd, and if
> > that has enough privileges it works.
> >
> > The login to a domain account is a kerberos login which requires
> > either Username and Password, or possibly PKINIT with a certificate.
> > None of them can work with just a public key.
> >
> > Norbert
> >
> >
> > On 11.06.2018 15:56, Taylor Hammerling via samba wrote:
> > > does SAMBA4 support Kerberos S4U tokens?
> > >
> > > Background:
> > > I am trying to get OpenSSH for windows to work on machines joined
> > > to our SAMBA4 domain
> > > We are running Samba 4.7.3-Debian on Debian 9
> > >
> > > When attempting to SSH in to a windows client using public key
> > > credentials for a domain user it fails. When attempting to SSH
> > > into a windows client using public key credentials for a local user
> > > it works just fine
> > >
> > > I have been working with the OpenSSH team trying to figure out why
> > > this isn't working, see github issue below
> > >
> > > https://github.com/PowerShell/Win32-OpenSSH/issues/1177#
> issuecomment-394789906
> > >
> > > Thanks in advance for any assistance you can provide. :)
> > >
> > > Taylor
> > >
> >
> >
>
> Go on, I give in, how did you get a windows user called 'root' ???
> As in:
>
> C:\\Users\\root\\.ssh/authorized_keys:1: matching key found: RSA
> SHA256:ajJEDL02MZx9advPCbyw8CHcGFdmF4sKnOojxo1/lFI
>
> Have you tried with an actual domain user ?
> i.e. not one called 'root' (By the way, 'root' SHOULDN'T exist in AD)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
*Taylor Hammerling* | *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
More information about the samba
mailing list