[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Rowland penny rpenny at samba.org
Mon Apr 12 19:11:26 UTC 2021 

On 12/04/2021 18:59, Nicola Mingotti via samba wrote:
>
>
> FYI. About the public key auth. @bagajjal 
> <https://github.com/bagajjal> in github openssh channels says he will 
> ask to a Windows Auth expert.
> the issue is in win32 api LsaLogonUser() .
>
> Abouth the Kerberos auth Linux-Linux, what did you do to have it working
> besides what is written in "OpenSSH single sign on"? That info to me was
> not enough to have it running.


OK, I did it like this (just tested again):

You require these lines in smb.conf:

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes

and in /etc/security/pam_winbind.conf (if they are not set in 
/etc/pam.d/common-auth):

krb5_auth = yes
krb5_ccache_type = FILE

Forward and reverse DNS must be working

SSH server setup

In /etc/ssh/sshd_config ensure you have the following options set:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

Then restart sshd.

SSH client setup

For the client side, ensure you have the following set under an 
appropriate "Host" section in /etc/ssh/ssh_config:

Host *
     GSSAPIAuthentication yes
     GSSAPIKeyExchange yes
     GSSAPIRenewalForcesRekey yes
     GSSAPITrustDns yes
Host *.samdom.example.com
     # It's best to limit this option to only trusted hosts:
     GSSAPIDelegateCredentials yes


You must have a keytab /etc/krb5.keytab on the server

You can export this on the server with:

sudo net ads keytab create

Once everything is set up, login like this:

rowland at devstation:~$ ssh -K rp400.samdom.example.com
Linux rp400 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 12 20:01:28 2021 from 192.168.0.49
rowland at rp400:~ $

Rowland

More information about the samba mailing list