[Samba] OpenSSH with Kerberos?
Joachim Lindenberg
samba at lindenberg.one
Sat Oct 23 09:28:34 UTC 2021
Hello Rowland,
thanks for giving it a try, but didn´t help so far.
Following https://www.ibm.com/support/pages/debugging-sshd-without-impacting-existing-sshd-sessions I fired up a debug server and got
debug1: Unspecified GSS failure. Minor code may provide more information
Key table file '/etc/krb5.keytab' not found
Ok. Searched for that one: https://groups.google.com/g/linux.samba/c/_fpcVC-WBAM and tried
samba-tool domain exportkeytab temp.keytab
klist -k temp.keytab | grep boa
output:
1 dns-boa at SAMBA.LINDENBERG.ONE
1 dns-boa at SAMBA.LINDENBERG.ONE
1 dns-boa at SAMBA.LINDENBERG.ONE
Actually I also tried just using the export, but then got
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/boa.samba.lindenberg.one@
I also tried a ln -s /var/lib/samba/private/secrets.keytab krb5.keytab
But klist -k krb5.keytab results in:
Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
In other words it looks like sshd and Samba don´t agree on how to name the system principal to be used to identify the ssh server.
boa.samba.lindenberg.one is one of my DCs.
If I set /etc/ssh/sshd_config
GSSAPIStrictAcceptorCheck no # not happy about this
Then this message disappears and I get to:
Failed gssapi-keyex for Joachim2 from 192.168.177.18 port 58234 ssh2
debug1: audit_event: unhandled event 13
debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]
...
But afaik that doesn´t really imply GSSAPIStrictAcceptorCheck does the trick and I have to search for something else.
I also discovered https://narkive.com/M5kraUiz.7 but ktpass is not available on Ubuntu and the translation to ktutil is not obvious to me.
Any further hint?
Thanks, Joachim
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Friday, 22 October 2021 21:24
An: samba at lists.samba.org
Betreff: Re: [Samba] OpenSSH with Kerberos?
On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote:
> Hello,
>
> I am trying to get OpenSSH to work with Kerberos, but am failing. I
> followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> I still need to provide a password (the AD password does work!)
> instead of achieving single-sign-on. I did follow the recommended
> auth_to_local mapping.
>
I cannot ssh with kerberos from a Samba AD DC, but I can ssh with kerberos to a Samba AD DC.
The ssh client (devstation) has this in /etc/ssh/ssh_config
Host *
PasswordAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
The ssh server (rpidc2) has this in /etc/ssh/sshd_config
There is just this in /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
This all leads to this:
rowland at devstation:~$ ssh -K rpidc2.samdom.example.com Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Fri Oct 22 19:35:10 2021 from 192.168.0.49 SAMDOM\rowland at rpidc2:~$
Hope this helps.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list