[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Nicola Mingotti nmingotti at gmail.com
Sat Apr 10 16:28:25 UTC 2021


Hi Rowland,

I have another Linux in the domain now. The two Linux machines I am 
using are named 'beta' and 'linte'.
Despite its name 'beta' is a an important machine;)

1] I tested public key ssh login between 'beta' and 'linte' with user 
'WINDOM\nicola'.
It works. Problem solved. The issue must be on Windows OpenSSH I am 
using, I agree with you.

2] I tested access with Kerberos, but it is not working. It is the first 
time i try this
so maybe I am missing some important step. Can you please give me some 
hints?

This is what I did, on both 'beta' and 'linte'. Consider they are both 
configured
and working to accept login from the Domain users. That works.

 From the wiki document "OpenSSH Single sing-on". I took this:

---- /etc/samba/smb.conf ---
kerberos method = secrets and keytab
winbind refresh tickets = yes

----------------------------

---- /etc/security/pam_winbind.conf -------
krb5_auth = yes
krb5_ccache_type = FILE
-------------------------------------------


--- /etc/ssh/sshd_config ------------------
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
-------------------------------------------


---- /etc/ssh/ssh_config -----------
Host *
   ...
     GSSAPIAuthentication yes
     GSSAPIDelegateCredentials yes
     GSSAPIKeyExchange yes
     GSSAPITrustDNS yes
  
Host *.windom.borghi.lan
      GSSAPIDelegateCredentials yes

------------------------------------

I rebooted both machines.

Now, I ssh into 'beta'
p at deb4> ssh 'WINDOM\nicola'@beta
WINDOM\nicola at beta> ssh linte
ASKS PASSWORD :/

If I do 'ssh -vvv' I see the text below. It seems the "gssapi" auth request
is sent out but nothing happens.

Any ideas ?


Bye
Nicola

------------------- ssh -vvv linte -------------
...
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: Trying to reverse map address 172.16.3.37.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/WINDOM-nicola/.ssh/id_rsa RSA SHA256:sAqcNWsYx19vIf3sU3E41Uxis4dWk2noE07XVLWcE5Q
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_dsa
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_ecdsa
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_ed25519
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/WINDOM-nicola/.ssh/id_xmss
debug3: no such identity: /home/WINDOM-nicola/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
-------------------------------































>> 2] SSH login with Public key. Does not work. Here the thing is quite 
>> strange, if i put
>> my public key into the computer with the ssh server I can't login 
>> anymore,
>
>
> Here I am different, I have placed the key where I think it should go 
> and I can still login, but only using a password.
>
unsolvable misteries of closed software


>
>> A guy on GitHub (@remipaeta) says with Windows AD he is able to login 
>> in ssh with public key
>> and he finds this problem only with Samba. Maybe you can check this
>> statement I don't have a Windows AD. Or maybe you know the developer 
>> who is
>> able to look at this corner of the code ;)
>
>
> OK, on Linux, I can ssh between machines using a password, ssh keys 
> and kerberos. Against the Windows ssh server, only using a password 
> works, so this is unlikely to be a samba problem, to me it sounds like 
> there is a problem with the Windows ssh program. There is no doubt 
> that numerous things that work on Linux ssh, do not exist on Windows ssh
>
>>
>> Next thing I am going to try is if the SingleSingOn and public key auth
>> work from two Linux in the Samba Windows Domain, user in the domain. 
>> I will let you know.
>> I need to set up another Linux in the domain to make the experiment.
>
>
> I can assure that they do work on Linux, but I cannot get them to work 
> on windows.
>
> Rowland
>
>
>



More information about the samba mailing list