[Samba] SSH SSO without keytab file
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 15 09:08:48 UTC 2019
Hai,
Lets start here.
Handy for us to know.
OS?
Samba version?
AD or member setup?
And I suggest, set this in the ssh server.
# GSSAPI options
GSSAPIAuthentication yes
Restart the ssh server and try to SSO login.
If its a AD server this should work.
Yes, you dont get home dir etc, end up in / after login, but lets check if this works.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Harpoon via samba
> Verzonden: dinsdag 15 januari 2019 9:45
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] SSH SSO without keytab file
>
> Hi all,
>
> I've setup a SambaAD server. I joined two Linux test hosts, a
> Windows test host and an SSH server to the domain. Here are
> my requirements:
>
> 1. I plan to use Samba accounts to authenticate the users for SSH.
> 2. Users shouldn't have to re-enter their passwords to connect to SSH.
>
> The link at [1] gives some hints on setting up SSO and SSH.
> But that guide requires creation (and re-creation upon
> password change) of keytab files.
>
> Is there a way to get SSO without using keytab files? My
> rather theoretical knowledge of Kerberos says that the user
> should get a TGT when logging in for a new session (using
> LightDM). Can't the same TGT be used by ssh client to request
> a ticket from Kerberos Authentication Server for SSH server?
>
> This approach will save me from management and routine
> re-creation of keytab files.
>
> Kind regards,
> Harp
>
> [1]
> https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl
> ient_setup
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list