[Samba] SSH SSO without keytab file

Harpoon harp00n at protonmail.com
Fri Jan 18 08:24:03 UTC 2019 

Thanks for the prompt reply!

> I did see that you are using Administrator, and thats the problem.

> Administrator is mapped to root ( most of the time ),
> if you assigned Administrator UID = 0 then you have a problem, because only root = uid 0.
>
> Never ever give Administrator a UID/GID
I am using tdb backend. It mapped administrator account to 12000:10000.

> So try again with a normal user, that does have a UID/GID.

I tried testing with normal users too whose UID/GID was mapped by tdb in ~10000 range. It produced the same problem.

> If that does not work, please share these, because this should work fine.
> /etc/samba/smb.conf
> /etc/krb5.conf
> /etc/ssh/sshd_config

Please find these conf files here:

-----------------------------
DC's /etc/samba/smb.conf
-----------------------------
[global]
        netbios name = DC1
        realm = SAMDOM.EXAMPLE.COM
        workgroup = SAMDOM
        dns forwarder = 10.0.5.200
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash

[netlogon]
        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

--------------------------------
Client's /etc/samba/smb.conf
--------------------------------
[global]
        netbios name = client1
        realm = SAMDOM.EXAMPLE.COM
        workgroup = SAMDOM
        security = ADS
        kerberos method = secrets and keytab
        winbind trusted domains only = no
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nss info = rfc2307

        idmap config * : backend = tdb
        idmap config * : range = 10000-200000

-------------------------------
/etc/ssh/sshd_config (Running on DC)
-------------------------------
PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication no
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UseDNS yes
PermitRootLogin yes
UsePAM no

-------------------------------
/etc/ssh/ssh_config (Client SSH config)
-------------------------------

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

--------------------------------------
/etc/krb5.conf (Same of DC and clients)
--------------------------------------

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Thanks for your help!

> > -----Oorspronkelijk bericht-----
> > Van: Harpoon [mailto:harp00n at protonmail.com]
> > Verzonden: vrijdag 18 januari 2019 7:15
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] SSH SSO without keytab file
> > I was caught up in another issue so could't reply earlier.
>
> No problem at all, so are we ;-)
>
> > > OS?
> > > Debian stretch on all nodes.
> > > Samba version?
> > > Version 4.5.12-Debian
> > > AD or member setup?
> > > I followed Samba wiki instructions to setup DC and members.
> > > AD running Samba. Members running smbd, nmbd and winbind.
> > > `getent passwd` and `wbinfo -u` work fine; listing all
> > > members. I can also `su SAMDOM\\\\administrator` to get
> > > authenticated as `administrator`.
> > > And I suggest, set this in the ssh server.
> > > GSSAPI options
> > > ===============
> > > GSSAPIAuthentication yes>
> >
> > Already have. For the time being, I setup SSH server on the
> > DC itself. Eventually, SSH server will be on a separate machine.
> > I have tried two options (after `kinit administrator`):
> >
> > a) Using `UsePAM yes` in sshd_config:
> >
> > --------------------------------------
> >
> > I ran `ssh administrator at dc1.domain.com -vv`
> > SSH client logs:
> > debug1: SSH2_MSG_EXT_INFO received
> > debug1: kex_input_ext_info:
> > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2
> > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug1: Next authentication method: gssapi-keyex
> > debug1: No valid Key exchange context
> > debug2: we did not send a packet, disable method
> > debug1: Next authentication method: gssapi-with-mic
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug2: we did not send a packet, disable method
> > debug1: Next authentication method: password
> > Then I enter the password, and I'm granted the shell.
> > SSH server logs:
> > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth):
> > getting password (0x00000388)
> > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth):
> > pam_get_item returned a password
> > Jan 18 11:05:12 DC1 sshd[16690]: pam_winbind(sshd:auth): user
> > 'administrator' granted access
> > Jan 18 11:05:12 DC1 sshd[16690]: Accepted password for
> > administrator from 10.0.5.101 port 33796 ssh2
> > Jan 18 11:05:12 DC1 sshd[16690]: pam_unix(sshd:session):
> > session opened for user SAMDOM\administrator by (uid=0)
> >
> > b) Using `UsePAM no`:
> >
> > ----------------------
> >
> > I ran `ssh administrator at dc1.domain.com -vv`
> > SSH client logs:
> > debug1: SSH2_MSG_EXT_INFO received
> > debug1: kex_input_ext_info:
> > server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp2
> > 56,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug1: Next authentication method: gssapi-keyex
> > debug1: No valid Key exchange context
> > debug2: we did not send a packet, disable method
> > debug1: Next authentication method: gssapi-with-mic
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Authentications that can continue:
> > gssapi-keyex,gssapi-with-mic,password
> > debug2: we did not send a packet, disable method
> > debug1: Next authentication method: password
> > Then I enter the password, and receive this error:
> > Permission denied, please try again.
> > SSH server logs:
> > Jan 18 11:09:15 DC1 sshd[16722]: error: Could not get shadow
> > information for SAMDOM\\administrator
> > Jan 18 11:09:15 DC1 sshd[16722]: Failed password for
> > administrator from 10.0.5.101 port 33800 ssh2
> >
> > It seems I'm unable to use the TGT for SSH authentication. I
> > read some where that using `UsePAM yes` always requires
> > for password. But setting `UsePAM no` says permission denied.
> > Regards,
> > Harp
> >
> > > Restart the ssh server and try to SSO login.
> > > If its a AD server this should work.
> > > Yes, you dont get home dir etc, end up in / after login,
> > > but lets check if this works.
> > > Greetz,
> > > Louis
> > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > > Harpoon via samba
> > > > Verzonden: dinsdag 15 januari 2019 9:45
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: [Samba] SSH SSO without keytab file
> > > > Hi all,
> > > > I've setup a SambaAD server. I joined two Linux test hosts, a
> > > > Windows test host and an SSH server to the domain. Here are
> > > > my requirements:
> > > >
> > > > 1.  I plan to use Samba accounts to authenticate the
> > > >     users for SSH.
> > > >
> > >
> > > > 2.  Users shouldn't have to re-enter their passwords to
> > > >     connect to SSH.
> > > >
> > >
> > > > The link at [1] gives some hints on setting up SSO and SSH.
> > > > But that guide requires creation (and re-creation upon
> > > > password change) of keytab files.
> > > > Is there a way to get SSO without using keytab files? My
> > > > rather theoretical knowledge of Kerberos says that the user
> > > > should get a TGT when logging in for a new session (using
> > > > LightDM). Can't the same TGT be used by ssh client to request
> > > > a ticket from Kerberos Authentication Server for SSH server?
> > > > This approach will save me from management and routine
> > > > re-creation of keytab files.
> > > > Kind regards,
> > > > Harp
> > > > [1]
> > > > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on#SSH_cl
> > > > ient_setup
> > > >
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > >
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
>
> --
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list