[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Nicola Mingotti nmingotti at gmail.com
Sat Apr 10 14:34:03 UTC 2021 

Hi Rowland. I don't know where the 'sshd_config' came from, and I find 
quite misterious you don't have
the same lines I have.

Anyway, at the moment this is the situation:

1] Password authentication with domain user OK. but NEEDS the password 
typed id.
Till now I have not found a way to login without it. That is, I was not 
able to realize
OpenSSH Single sign on.

2] SSH login with Public key. Does not work. Here the thing is quite 
strange, if i put
my public key into the computer with the ssh server I can't login 
anymore, below are the
error messages I see from the ssh service.

A guy on GitHub (@remipaeta) says with Windows AD he is able to login in 
ssh with public key
and he finds this problem only with Samba. Maybe you can check this
statement I don't have a Windows AD. Or maybe you know the developer who is
able to look at this corner of the code ;)

Next thing I am going to try is if the SingleSingOn and public key auth
work from two Linux in the Samba Windows Domain, user in the domain. I 
will let you know.
I need to set up another Linux in the domain to make the experiment.

bye
n.

----------------------------------------------------------------
1228 2021-04-10 15:50:00.953 debug1: trying public key file 
C:\\Users\\adam1\\.ssh/authorized_keys
1228 2021-04-10 15:50:00.954 debug1: 
C:\\Users\\adam1\\.ssh/authorized_keys:1: matching key found: RSA 
SHA256:hcDASnV1vvd88xpKM/xN2XtUSCvcW3oPUz0izqFMTBE
1228 2021-04-10 15:50:00.954 debug1: 
C:\\Users\\adam1\\.ssh/authorized_keys:1: key options: agent-forwarding 
port-forwarding pty user-rc x11-forwarding
1228 2021-04-10 15:50:00.954 Accepted key RSA 
SHA256:hcDASnV1vvd88xpKM/xN2XtUSCvcW3oPUz0izqFMTBE found at 
C:\\Users\\adam1\\.ssh/authorized_keys:1
1228 2021-04-10 15:50:00.954 debug3: mm_answer_keyallowed: publickey 
authentication: RSA key is allowed
1228 2021-04-10 15:50:00.954 debug3: mm_request_send entering: type 23
1228 2021-04-10 15:50:00.954 debug3: mm_sshkey_verify entering [preauth]
1228 2021-04-10 15:50:00.954 debug3: mm_request_send entering: type 24 
[preauth]
1228 2021-04-10 15:50:00.954 debug3: mm_request_receive entering
1228 2021-04-10 15:50:00.954 debug3: monitor_read: checking request 24
1228 2021-04-10 15:50:00.955 debug3: mm_answer_keyverify: publickey 
00000245CC8618E0 signature verified
1228 2021-04-10 15:50:00.955 debug1: auth_activate_options: setting new 
authentication options
1228 2021-04-10 15:50:00.955 debug3: mm_request_send entering: type 25
1228 2021-04-10 15:50:00.955 Accepted publickey for adam1 from 
172.16.3.50 port 38428 ssh2: RSA 
SHA256:hcDASnV1vvd88xpKM/xN2XtUSCvcW3oPUz0izqFMTBE
1228 2021-04-10 15:50:00.955 debug1: monitor_child_preauth: adam1 has 
been authenticated by privileged process
1228 2021-04-10 15:50:00.955 debug3: mm_get_keystate: Waiting for new keys
1228 2021-04-10 15:50:00.955 debug3: mm_request_receive_expect entering: 
type 26
1228 2021-04-10 15:50:00.955 debug3: mm_request_receive entering
1228 2021-04-10 15:50:00.956 debug3: mm_get_keystate: GOT new keys
1228 2021-04-10 15:50:00.956 debug3: mm_sshkey_verify: waiting for 
MONITOR_ANS_KEYVERIFY [preauth]
1228 2021-04-10 15:50:00.956 debug3: mm_request_receive_expect entering: 
type 25 [preauth]
1228 2021-04-10 15:50:00.956 debug3: mm_request_receive entering [preauth]
1228 2021-04-10 15:50:00.956 debug1: auth_activate_options: setting new 
authentication options [preauth]
1228 2021-04-10 15:50:00.956 debug2: userauth_pubkey: authenticated 1 
pkalg rsa-sha2-512 [preauth]
1228 2021-04-10 15:50:00.956 debug3: send packet: type 52 [preauth]
1228 2021-04-10 15:50:00.956 debug3: mm_request_send entering: type 26 
[preauth]
1228 2021-04-10 15:50:00.956 debug3: mm_send_keystate: Finished sending 
state [preauth]
1228 2021-04-10 15:50:00.959 debug1: monitor_read_log: child log fd closed
1228 2021-04-10 15:50:00.999 debug3: lookup_principal_name: Successfully 
discovered explicit principal name: 
'windom\\adam1'=>'adam1 at windom.borghi.lan'
1228 2021-04-10 15:50:01.010 debug1: generate_s4u_user_token: 
LsaLogonUser() failed. User 'windom\\adam1' Status: 0xC000009A SubStatus 0.
1228 2021-04-10 15:50:01.010 debug3: get_user_token - unable to generate 
token for user windom\\adam1
1228 2021-04-10 15:50:03.333 debug3: lookup_principal_name: Successfully 
discovered explicit principal name: 
'windom\\adam1'=>'adam1 at windom.borghi.lan'
1228 2021-04-10 15:50:03.347 debug1: generate_s4u_user_token: 
LsaLogonUser() failed. User 'windom\\adam1' Status: 0xC000009A SubStatus 0.
1228 2021-04-10 15:50:03.348 error: get_user_token - unable to generate 
token on 2nd attempt for user windom\\adam1
1228 2021-04-10 15:50:03.348 error: unable to get security token for 
user windom\\adam1
1228 2021-04-10 15:50:03.348 fatal: fork of unprivileged child failed
1228 2021-04-10 15:50:03.348 debug1: do_cleanup
-----------------------------------------------------------------



>
> I can only get ssh password authentication to work to win10, I don't 
> have the GSSAPI lines, from my searching, it doesn't look like they 
> have kerberos working yet (and this is on Windows), it also worked for 
> myself without commenting anything out. It might help if they got 
> their documentation uptodate, I found bits here and there.
>
> Rowland
>
>
>

More information about the samba mailing list