[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
Nicola Mingotti
nmingotti at gmail.com
Wed Apr 14 10:02:28 UTC 2021
Hi Louis,
from further experimentsI can tell you that in my system (Debian Stable,
Samba by .deb package)
the only way to make the thing working is setting "
k5login_authoritative = false " in [libdefaults].
Not working if put in [realms].
I have taken the parameter name from here:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
It is a useful feature to have in some servers !
bye
----------------------- display experiments in krb5.conf
---------------------
[libdefaults]
default_realm = WINDOM.BORGHI.LAN
# dns_lookup_realm = false
dns_lookup_realm = true
dns_lookup_kdc = true
# tento attivare login con kerberos
# forwardable = true
# proxiable = true
# ignore_k5login = true
k5login_authoritative = false
[realms]
# permette a tutti di loggarsi senza essere nominati
# k5login_authoritative = false
#
WINDOM.BORGHI.LAN = {
auth_to_local = RULE:[1:WINDOM\$1]
# k5login_authoritative = false
}
------------------------------------------------------------------------------------------
On 4/14/21 11:17 AM, L.P.H. van Belle via samba wrote:
> Hai,
>
> from your previous mail :
> No key table entry found matching host/beta.windom.borghi.lan@
>
> when you re-joined, it should have created a keytab file.
>
> net ads remove
> mv /etc/krb5.keytab{,.old}
> net ads join
> klist -ke /etc/krb5.keytab
>
>
> On that .k5login /etc/krb5.conf
> add in default ( or per realm )
> ignore_k5login = true
>
> you can try that then you most probely dont need to use the .k5login at all
> I was typing this when you sended it worked.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti
>> via samba
>> Verzonden: woensdag 14 april 2021 11:09
>> Aan: Rowland penny; sambalist
>> Onderwerp: Re: [Samba] Trouble in ssh into Windows machines in the
>> Windows/Samba Domain
>>
>>
>>
>> YYEEEEEESSSSSSS ! I WORKSSSSS !!!!!
>>
>> Thank to all of YOU people and the 'strace' command !!!!!
>>
>> For me, besides all misconfigurations I had it was necessary to put
>> into 'beta' this
>>
>> ---------- beta : /home/WINDOM-nicola/.k5login ----
>> nicola at WINDOM.BORGHI.LAN
>> ------------------------------------------------------------------
>>
>> That is, a file saying who is allowed to login into beta machine via
>> kerberos.
>>
>> I saw the file format in this page:
>> https://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/k5login.html
>>
>>
>> ==== STATUS SSH AUTH IN THE Domain ================
>> -] ssh auth with publick key : Linux / Linux working
>> -] ssh auth with kerberos : Linux / Linux working
>>
>> *) Let's wait to see what the guys on the OpenSSH gitHub are able to
>> do/fix
>> before trying again with Windows.
>> ==========================================
>>
>> Bye
>> Nicola
>>
>>
>>
>>
>>
>>
>> On 4/13/21 7:43 PM, Rowland penny via samba wrote:
>>> On 13/04/2021 17:34, Nicola Mingotti wrote:
>>>> Ok, I corrected all what you found. Except for the name ".lan", which
>>>> I can' change in short time.
>>>>
>>>> Still, ssh -K is not working unfortunately.
>>>
>>> I have a couple of packages you haven't, one I think you need:
>>> libpam-krb5 python3-samba
>>>
>>> Please Install them.
>>>
>>> When you left the domain, did you delete /etc/krb5.keytab ?
>>>
>>> If you didn't, try deleting it and creating a new one with the 'net'
>>> command I posted earlier.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list