[Samba] SSH SSO without keytab file

L.P.H. van Belle belle at bazuin.nl
Fri Jan 18 07:56:22 UTC 2019 

Hai, 

I did see that you are using Administrator, and thats the problem. 

Administrator is mapped to root ( most of the time ), 
if you assigned Administrator UID = 0 then you have a problem, because only root = uid 0.

Never ever give Administrator a UID/GID, create a new one assign that one a UID/GID.
So try again with a normal user, that does have a UID/GID. 

If that does not work, please share these, because this should work fine. 
/etc/samba/smb.conf 
/etc/krb5.conf
/etc/ssh/sshd_config


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Harpoon [mailto:harp00n at protonmail.com] 
> Verzonden: vrijdag 18 januari 2019 7:15
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] SSH SSO without keytab file
> 
> 
> I was caught up in another issue so could't reply earlier.
No problem at all, so are we ;-) 

> 
> > OS?
> Debian stretch on all nodes.
> > 
> > Samba version?
> Version 4.5.12-Debian
> > 
> > AD or member setup?
> I followed Samba wiki instructions to setup DC and members. 
> AD running Samba. Members running smbd, nmbd and winbind. 
> `getent passwd` and `wbinfo -u` work fine; listing all 
> members. I can also `su SAMDOM\\administrator` to get 
> authenticated as `administrator`.
> > 
> > And I suggest, set this in the ssh server.
> >
> > GSSAPI options
> >
> > ===============
> >
> > GSSAPIAuthentication yes>
> 
> Already have. For the time being, I setup SSH server on the 
> DC itself. Eventually, SSH server will be on a separate machine.
> 
> I have tried two options (after `kinit administrator`):
> 
> a) Using `UsePAM yes` in sshd_config:
> ------------------------
> 
> I ran `ssh administrator at dc1.domain.com -vv`
> 
> SSH client logs:
> 
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: 
> server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2
> 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: password
> 
> Then I enter the password, and I'm granted the shell.
> 
> SSH server logs:
> Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): 
> getting password (0x00000388)
> Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): 
> pam_get_item returned a password
> Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user 
> 'administrator' granted access
> Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for 
> administrator from 10.0.5.101 port 33796 ssh2
> Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session): 
> session opened for user SAMDOM\administrator by (uid=0)
> 
> 
> b) Using `UsePAM no`:
> -------------------
> 
> I ran `ssh administrator at dc1.domain.com -vv`
> 
> SSH client logs:
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: 
> server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2
> 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: 
> gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: password
> 
> Then I enter the password, and receive this error:
> 
> Permission denied, please try again.
> 
> SSH server logs:
> Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow 
> information for SAMDOM\\administrator
> Jan 18 11:09:15 DC1 sshd[16722]: Failed password for 
> administrator from 10.0.5.101 port 33800 ssh2
> 
> ---------------------------------------------------------
> 
> It seems I'm unable to use the TGT for SSH authentication. I 
> read some where that using `UsePAM yes` **always** requires 
> for password. But setting `UsePAM no` says permission denied.
> 
> Regards,
> Harp
> 
> > Restart the ssh server and try to SSO login.
> > If its a AD server this should work.
> >
> > Yes, you dont get home dir etc, end up in / after login, 
> but lets check if this works.
> >
> > Greetz,
> >
> > Louis
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Harpoon via samba
> > > Verzonden: dinsdag 15 januari 2019 9:45
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] SSH SSO without keytab file
> > > Hi all,
> > > I've setup a SambaAD server. I joined two Linux test hosts, a
> > > Windows test host and an SSH server to the domain. Here are
> > > my requirements:
> > >
> > > 1.  I plan to use Samba accounts to authenticate the 
> users for SSH.
> > > 2.  Users shouldn't have to re-enter their passwords to 
> connect to SSH.
> > >
> > > The link at [1] gives some hints on setting up SSO and SSH.
> > > But that guide requires creation (and re-creation upon
> > > password change) of keytab files.
> > > Is there a way to get SSO without using keytab files? My
> > > rather theoretical knowledge of Kerberos says that the user
> > > should get a TGT when logging in for a new session (using
> > > LightDM). Can't the same TGT be used by ssh client to request
> > > a ticket from Kerberos Authentication Server for SSH server?
> > > This approach will save me from management and routine
> > > re-creation of keytab files.
> > > Kind regards,
> > > Harp
> > > [1]
> > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl
> > > ient_setup
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> > --
> >
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> 
> 
>

More information about the samba mailing list