[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Rowland penny rpenny at samba.org
Sun Apr 11 10:40:47 UTC 2021 

On 11/04/2021 11:12, Nicola Mingotti wrote:
>
> Interlining answers:
>
> On 4/10/21 8:20 PM, Rowland penny via samba wrote:
>>
>> It is Samba 14.4.2 , but this shouldn't matter, ssh has nothing to do 
>> with Samba unless you are using kerberos, and I am not.
>>
> Umm, Rowland you are at least 10 times more knowledgeable then me 
> about Samba and Windows.
> I wouldn't rule out Samba is involved for this argument (it may be 
> bullshit, you know better).  "Take the case of Linux, for example,
> my domain users aren't definied in /etc/passwd, but are visible by 
> 'getent passwd', which means
> that every time somebody logs into a Linux box as domain user my 
> system has
> to talk to AD to understand what that user can do. That is the reason 
> why I suppose
> Samba is involved anytime I am talking about Domain Users.


Only via PAM and nsswitch, if you try to log in via ssh with an unknown 
user, it wouldn't work, but that is as far as the connection between 
Samba and ssh goes.

>
>>> 2] Your domain configuration is different, in the smb.conf or a GPO
>>
>>
>> Fairly stock smb.conf, no GPO's that have anything to do with ssh 
>> (are there any ?)
>>
> About 6 months ago I tried to achieve the same result I am trying now 
> with Cygwin.
> It was a failure. After about a week of deep testing and searching I 
> have given up.
> In that occasion GPO were fundamental, if I remember well, to let a 
> user become
> another user. (sudo basically). I can look up details if you whish, it 
> should be in my notes.


Never used cygwin, never seen the point, just like I do not see the 
point to WSL, your opinion may differ.

>
> Another little difference between our configuration is that my 
> administrators in
> the domain are called "adam1", "adam2" etc. I never use 
> "Administator". That
> can cause some different outcomes.


This shouldn't make any difference, the user I am using to ssh in, is 
just a normal user.

>
>>> 3] If you didn't install SSH in the last two days you may be using a 
>>> blessed
>>> release from the past which does not contain a bug.
>>
>>
>> I am using the standard ssh you get by installing it via 'settings'
>>
>
> I think it would be better if we standardize our tests. For at least 
> these reasons:
> 1] Nobody knows what Microsoft did to OpenSSH


Well this is what comes with Windows 10 and I suppose most users will 
use this, very few will want (or have the knowledge) to build ssh.

> 2] There isn't a Windows version of OpenSSH for Server 2016


Again, I don't use 2016.

> 3] There are now scripts to check user permissions in the new releases
> => In propose to use the latest OpenSSH from gitHub for further analysis.


Whilst I am willing to test the SSH that comes with Windows 10, I am not 
willing to build it, I just do not have the time.

>
>
>>>
>>> The error I see i luckily reported by other people here:
>>> https://github.com/PowerShell/Win32-OpenSSH/issues/1543#issuecomment-816787269 
>>>
>>
>>
>> That is trying to use kerberos (That isn't publickey, it isn't any 
>> key) and I haven't troubleshooted that yet, perhaps tomorrow. One 
>> question I do have, does Windows use GSSAPI ?
>>
> I can't help you here, i am ignorant on this subject at the moment. I 
> may  know more after some reaserch ;)


You either use a key or you use GSSAPI, you do not use both, they do 
different things.

Rowland

More information about the samba mailing list