[Samba] Automate Kerberized SSH Connections using Samba 4 as the KDC??

Rowland penny rpenny at samba.org
Wed Oct 30 08:14:47 UTC 2019

On 30/10/2019 01:03, Zombie Ryushu via samba wrote:
> Is it possible to use Samba to automate Kerberized SSH for keytab based
> Sign in by Unison? I want to use Unison to Sync OwnCloud/NextCloud.

SSH with a keytab is possible, not sure if it works with Unison, this is 
because I do not use Unison.

You require these lines in smb.conf:

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes

and in /etc/security/pam_winbind.conf (if they are not set in 

krb5_auth = yes
krb5_ccache_type = FILE

Forward and reverse DNS must be working

SSH server setup

In /etc/ssh/sshd_config ensure you have the following options set:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes                # If your version supports this
GSSAPIStoreCredentialsOnRekey yes    # If your version supports this

Then restart sshd.

SSH client setup

For the client side, ensure you have the following set under an 
appropriate "Host" section in /etc/ssh/ssh_config:

Host *
     GSSAPIAuthentication yes
     GSSAPIKeyExchange yes         # If your version supports this
     GSSAPIRenewalForcesRekey yes  # If your version supports this
     GSSAPITrustDns yes
Host *.samdom.example.com
     # It's best to limit this option to only trusted hosts:
     GSSAPIDelegateCredentials yes


More information about the samba mailing list