[Samba] SSH SSO without keytab file

Harpoon harp00n at protonmail.com
Fri Jan 18 06:15:26 UTC 2019 

I was caught up in another issue so could't reply earlier.

> OS?
Debian stretch on all nodes.
> Samba version?
Version 4.5.12-Debian
> AD or member setup?
I followed Samba wiki instructions to setup DC and members. AD running Samba. Members running smbd, nmbd and winbind. `getent passwd` and `wbinfo -u` work fine; listing all members. I can also `su SAMDOM\\administrator` to get authenticated as `administrator`.
> And I suggest, set this in the ssh server.
>
> GSSAPI options
>
> ===============
>
> GSSAPIAuthentication yes>

Already have. For the time being, I setup SSH server on the DC itself. Eventually, SSH server will be on a separate machine.

I have tried two options (after `kinit administrator`):

a) Using `UsePAM yes` in sshd_config:
------------------------

I ran `ssh administrator at dc1.domain.com -vv`

SSH client logs:

debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Then I enter the password, and I'm granted the shell.

SSH server logs:
Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): getting password (0x00000388)
Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): pam_get_item returned a password
Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user 'administrator' granted access
Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for administrator from 10.0.5.101 port 33796 ssh2
Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session): session opened for user SAMDOM\administrator by (uid=0)


b) Using `UsePAM no`:
-------------------

I ran `ssh administrator at dc1.domain.com -vv`

SSH client logs:
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Then I enter the password, and receive this error:

Permission denied, please try again.

SSH server logs:
Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow information for SAMDOM\\administrator
Jan 18 11:09:15 DC1 sshd[16722]: Failed password for administrator from 10.0.5.101 port 33800 ssh2

---------------------------------------------------------

It seems I'm unable to use the TGT for SSH authentication. I read some where that using `UsePAM yes` **always** requires for password. But setting `UsePAM no` says permission denied.

Regards,
Harp

> Restart the ssh server and try to SSO login.
> If its a AD server this should work.
>
> Yes, you dont get home dir etc, end up in / after login, but lets check if this works.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Harpoon via samba
> > Verzonden: dinsdag 15 januari 2019 9:45
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] SSH SSO without keytab file
> > Hi all,
> > I've setup a SambaAD server. I joined two Linux test hosts, a
> > Windows test host and an SSH server to the domain. Here are
> > my requirements:
> >
> > 1.  I plan to use Samba accounts to authenticate the users for SSH.
> > 2.  Users shouldn't have to re-enter their passwords to connect to SSH.
> >
> > The link at [1] gives some hints on setting up SSO and SSH.
> > But that guide requires creation (and re-creation upon
> > password change) of keytab files.
> > Is there a way to get SSO without using keytab files? My
> > rather theoretical knowledge of Kerberos says that the user
> > should get a TGT when logging in for a new session (using
> > LightDM). Can't the same TGT be used by ssh client to request
> > a ticket from Kerberos Authentication Server for SSH server?
> > This approach will save me from management and routine
> > re-creation of keytab files.
> > Kind regards,
> > Harp
> > [1]
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl
> > ient_setup
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> --
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list