[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain

Wed Apr 14 10:02:28 UTC 2021

Hi Louis,

from further experimentsI can tell you that in my system (Debian Stable, 
Samba by .deb package)
the only way to make the thing working is setting " 
k5login_authoritative = false  " in [libdefaults].
Not working if put in [realms].

I have taken the parameter name from here:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

It is a useful feature to have in some servers !

bye

----------------------- display experiments in krb5.conf 
---------------------
[libdefaults]
       default_realm = WINDOM.BORGHI.LAN
       # dns_lookup_realm = false
       dns_lookup_realm = true
       dns_lookup_kdc = true
       # tento attivare login con kerberos
       # forwardable = true
       # proxiable = true
       # ignore_k5login = true
       k5login_authoritative = false

[realms]
   # permette a tutti di loggarsi senza essere nominati
   # k5login_authoritative = false
   #
   WINDOM.BORGHI.LAN = {
     auth_to_local = RULE:[1:WINDOM\$1]
     # k5login_authoritative = false
   }
------------------------------------------------------------------------------------------

On 4/14/21 11:17 AM, L.P.H. van Belle via samba wrote:
> Hai,
>
> from your previous mail :
> No key table entry found matching host/beta.windom.borghi.lan@
>
> when you re-joined, it should have created a keytab file.
>
> net ads remove
> mv /etc/krb5.keytab{,.old}
> net ads join
> klist -ke /etc/krb5.keytab
>
>
> On that .k5login /etc/krb5.conf
> add in default ( or per realm )
> ignore_k5login = true
>
> you can try that then you most probely dont need to use the .k5login at all
> I was typing this when you sended it worked.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti
>> via samba
>> Verzonden: woensdag 14 april 2021 11:09
>> Aan: Rowland penny; sambalist
>> Onderwerp: Re: [Samba] Trouble in ssh into Windows machines in the
>> Windows/Samba Domain
>>
>>
>>
>> YYEEEEEESSSSSSS ! I WORKSSSSS !!!!!
>>
>> Thank to all of YOU people and the 'strace' command !!!!!
>>
>> For me, besides all misconfigurations I had it was necessary to put
>> into 'beta' this
>>
>> ---------- beta : /home/WINDOM-nicola/.k5login ----
>> nicola at WINDOM.BORGHI.LAN
>> ------------------------------------------------------------------
>>
>> That is, a file saying who is allowed to login into beta machine via
>> kerberos.
>>
>> I saw the file format in this page:
>> https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/k5login.html
>>
>>
>> ==== STATUS SSH AUTH IN THE Domain ================
>> -] ssh auth with publick key : Linux / Linux working
>> -] ssh auth with kerberos      : Linux / Linux working
>>
>> *) Let's wait to see what the guys on the OpenSSH gitHub are able to
>> do/fix
>> before trying again with Windows.
>> ==========================================
>>
>> Bye
>> Nicola
>>
>>
>>
>>
>>
>>
>> On 4/13/21 7:43 PM, Rowland penny via samba wrote:
>>> On 13/04/2021 17:34, Nicola Mingotti wrote:
>>>> Ok, I corrected all what you found. Except for the name ".lan", which
>>>> I can' change in short time.
>>>>
>>>> Still, ssh -K is not working unfortunately.
>>>
>>> I have a couple of packages you haven't, one I think you need:
>>> libpam-krb5 python3-samba
>>>
>>> Please Install them.
>>>
>>> When you left the domain, did you delete /etc/krb5.keytab ?
>>>
>>> If you didn't, try deleting it and creating a new one with the 'net'
>>> command I posted earlier.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>