[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
rpenny at samba.org
Mon Apr 12 19:11:26 UTC 2021
On 12/04/2021 18:59, Nicola Mingotti via samba wrote:
> FYI. About the public key auth. @bagajjal
> <https://github.com/bagajjal> in github openssh channels says he will
> ask to a Windows Auth expert.
> the issue is in win32 api LsaLogonUser() .
> Abouth the Kerberos auth Linux-Linux, what did you do to have it working
> besides what is written in "OpenSSH single sign on"? That info to me was
> not enough to have it running.
OK, I did it like this (just tested again):
You require these lines in smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind use default domain = yes
and in /etc/security/pam_winbind.conf (if they are not set in
krb5_auth = yes
krb5_ccache_type = FILE
Forward and reverse DNS must be working
SSH server setup
In /etc/ssh/sshd_config ensure you have the following options set:
# GSSAPI options
Then restart sshd.
SSH client setup
For the client side, ensure you have the following set under an
appropriate "Host" section in /etc/ssh/ssh_config:
# It's best to limit this option to only trusted hosts:
You must have a keytab /etc/krb5.keytab on the server
You can export this on the server with:
sudo net ads keytab create
Once everything is set up, login like this:
rowland at devstation:~$ ssh -K rp400.samdom.example.com
Linux rp400 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 12 20:01:28 2021 from 192.168.0.49
rowland at rp400:~ $
More information about the samba