[Samba] Automate Kerberized SSH Connections using Samba 4 as the KDC??
Rowland penny
rpenny at samba.org
Wed Oct 30 08:14:47 UTC 2019
On 30/10/2019 01:03, Zombie Ryushu via samba wrote:
> Is it possible to use Samba to automate Kerberized SSH for keytab based
> Sign in by Unison? I want to use Unison to Sync OwnCloud/NextCloud.
SSH with a keytab is possible, not sure if it works with Unison, this is
because I do not use Unison.
You require these lines in smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes
and in /etc/security/pam_winbind.conf (if they are not set in
/etc/pam.d/common-auth):
krb5_auth = yes
krb5_ccache_type = FILE
Forward and reverse DNS must be working
SSH server setup
In /etc/ssh/sshd_config ensure you have the following options set:
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes # If your version supports this
GSSAPIStoreCredentialsOnRekey yes # If your version supports this
Then restart sshd.
SSH client setup
For the client side, ensure you have the following set under an
appropriate "Host" section in /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIKeyExchange yes # If your version supports this
GSSAPIRenewalForcesRekey yes # If your version supports this
GSSAPITrustDns yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
Rowland
More information about the samba
mailing list