[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
Nicola Mingotti
nmingotti at gmail.com
Sat Apr 10 16:28:25 UTC 2021
Hi Rowland,
I have another Linux in the domain now. The two Linux machines I am
using are named 'beta' and 'linte'.
Despite its name 'beta' is a an important machine;)
1] I tested public key ssh login between 'beta' and 'linte' with user
'WINDOM\nicola'.
It works. Problem solved. The issue must be on Windows OpenSSH I am
using, I agree with you.
2] I tested access with Kerberos, but it is not working. It is the first
time i try this
so maybe I am missing some important step. Can you please give me some
hints?
This is what I did, on both 'beta' and 'linte'. Consider they are both
configured
and working to accept login from the Domain users. That works.
From the wiki document "OpenSSH Single sing-on". I took this:
---- /etc/samba/smb.conf ---
kerberos method = secrets and keytab
winbind refresh tickets = yes
----------------------------
---- /etc/security/pam_winbind.conf -------
krb5_auth = yes
krb5_ccache_type = FILE
-------------------------------------------
--- /etc/ssh/sshd_config ------------------
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
-------------------------------------------
---- /etc/ssh/ssh_config -----------
Host *
...
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
Host *.windom.borghi.lan
GSSAPIDelegateCredentials yes
------------------------------------
I rebooted both machines.
Now, I ssh into 'beta'
p at deb4> ssh 'WINDOM\nicola'@beta
WINDOM\nicola at beta> ssh linte
ASKS PASSWORD :/
If I do 'ssh -vvv' I see the text below. It seems the "gssapi" auth request
is sent out but nothing happens.
Any ideas ?
Bye
Nicola
------------------- ssh -vvv linte -------------
...
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: Trying to reverse map address 172.16.3.37.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/WINDOM-nicola/.ssh/id_rsa RSA SHA256:sAqcNWsYx19vIf3sU3E41Uxis4dWk2noE07XVLWcE5Q
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_dsa
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_ecdsa
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_ed25519
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_xmss
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
-------------------------------
>> 2] SSH login with Public key. Does not work. Here the thing is quite
>> strange, if i put
>> my public key into the computer with the ssh server I can't login
>> anymore,
>
>
> Here I am different, I have placed the key where I think it should go
> and I can still login, but only using a password.
>
unsolvable misteries of closed software
>
>> A guy on GitHub (@remipaeta) says with Windows AD he is able to login
>> in ssh with public key
>> and he finds this problem only with Samba. Maybe you can check this
>> statement I don't have a Windows AD. Or maybe you know the developer
>> who is
>> able to look at this corner of the code ;)
>
>
> OK, on Linux, I can ssh between machines using a password, ssh keys
> and kerberos. Against the Windows ssh server, only using a password
> works, so this is unlikely to be a samba problem, to me it sounds like
> there is a problem with the Windows ssh program. There is no doubt
> that numerous things that work on Linux ssh, do not exist on Windows ssh
>
>>
>> Next thing I am going to try is if the SingleSingOn and public key auth
>> work from two Linux in the Samba Windows Domain, user in the domain.
>> I will let you know.
>> I need to set up another Linux in the domain to make the experiment.
>
>
> I can assure that they do work on Linux, but I cannot get them to work
> on windows.
>
> Rowland
>
>
>
More information about the samba
mailing list