[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Tue Apr 13 08:54:46 UTC 2021

Hi Rowland,

first of of all my apologies, I see you already sent me once this config !
Sorry about that.

Anyway, I have some issues so I need to ask you some stuff

0. I am testing between two linuxes in the domain: [linte] and [beta].

1. To make it work is it necessary to change the configuration of smb.conf
in the domain controller or is it enough to configure these 2 machines 
([linte] and [beta]) ?

2. I prefer not to use "winbind user default domain = yes", is it
strictly necessary?
RATIO. I don't want to use it because I prefer to have a clean
distinction between local and domain users. So it is good form me
to have to type WINDOM\foobar when I mean Domain User "foobar".

3. I already have /etc/krb5.keytab in both computers do I need
to run 'sudo net ads keytab create' anyway ?

bye
Nicola

> OK, I did it like this (just tested again):
>
> You require these lines in smb.conf:
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind use default domain = yes
>
> and in /etc/security/pam_winbind.conf (if they are not set in 
> /etc/pam.d/common-auth):
>
> krb5_auth = yes
> krb5_ccache_type = FILE
>
> Forward and reverse DNS must be working
>
> SSH server setup
>
> In /etc/ssh/sshd_config ensure you have the following options set:
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> GSSAPIKeyExchange yes
> GSSAPIStoreCredentialsOnRekey yes
>
> Then restart sshd.
>
> SSH client setup
>
> For the client side, ensure you have the following set under an 
> appropriate "Host" section in /etc/ssh/ssh_config:
>
> Host *
>     GSSAPIAuthentication yes
>     GSSAPIKeyExchange yes
>     GSSAPIRenewalForcesRekey yes
>     GSSAPITrustDns yes
> Host *.samdom.example.com
>     # It's best to limit this option to only trusted hosts:
>     GSSAPIDelegateCredentials yes
>
>
> You must have a keytab /etc/krb5.keytab on the server
>
> You can export this on the server with:
>
> sudo net ads keytab create
>
> Once everything is set up, login like this:
>
> rowland at devstation:~$ ssh -K rp400.samdom.example.com
> Linux rp400 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Mon Apr 12 20:01:28 2021 from 192.168.0.49
> rowland at rp400:~ $
>
> Rowland
>
>
>