[Samba] OpenSSH with Kerberos?

Joachim Lindenberg samba at lindenberg.one
Sat Oct 23 09:28:34 UTC 2021


Hello Rowland,
thanks for giving it a try, but didn´t help so far. 
Following https://www.ibm.com/support/pages/debugging-sshd-without-impacting-existing-sshd-sessions I fired up a debug server and got
debug1: Unspecified GSS failure.  Minor code may provide more information

Key table file '/etc/krb5.keytab' not found

Ok. Searched for that one: https://groups.google.com/g/linux.samba/c/_fpcVC-WBAM  and tried

samba-tool domain exportkeytab temp.keytab
klist -k temp.keytab | grep boa

output: 
   1 dns-boa at SAMBA.LINDENBERG.ONE
   1 dns-boa at SAMBA.LINDENBERG.ONE
   1 dns-boa at SAMBA.LINDENBERG.ONE

Actually I also tried just using the export, but then got

debug1: Unspecified GSS failure.  Minor code may provide more information
No key table entry found matching host/boa.samba.lindenberg.one@

I also tried a ln -s /var/lib/samba/private/secrets.keytab krb5.keytab
But klist -k krb5.keytab results in:

Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 HOST/boa at SAMBA.LINDENBERG.ONE
   2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
   2 BOA$@SAMBA.LINDENBERG.ONE
   2 HOST/boa at SAMBA.LINDENBERG.ONE
   2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
   2 BOA$@SAMBA.LINDENBERG.ONE
   2 HOST/boa at SAMBA.LINDENBERG.ONE
   2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
   2 BOA$@SAMBA.LINDENBERG.ONE

In other words it looks like sshd and Samba don´t agree on how to name the system principal to be used to identify the ssh server.
boa.samba.lindenberg.one is one of my DCs.

If I set /etc/ssh/sshd_config
GSSAPIStrictAcceptorCheck no # not happy about this
Then this message disappears and I get to:

Failed gssapi-keyex for Joachim2 from 192.168.177.18 port 58234 ssh2
debug1: audit_event: unhandled event 13
debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]
...

But afaik that doesn´t really imply GSSAPIStrictAcceptorCheck does the trick and I have to search for something else.

I also discovered https://narkive.com/M5kraUiz.7 but ktpass is not available on Ubuntu and the translation to ktutil is not obvious to me.

Any further hint?
Thanks, Joachim



-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Friday, 22 October 2021 21:24
An: samba at lists.samba.org
Betreff: Re: [Samba] OpenSSH with Kerberos?

On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote:
> Hello,
> 
> I am trying to get OpenSSH to work with Kerberos, but am failing. I 
> followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but 
> I still need to provide a password (the AD password does work!) 
> instead of achieving single-sign-on. I did follow the recommended 
> auth_to_local mapping.
> 

I cannot ssh with kerberos from a Samba AD DC, but I can ssh with kerberos to a Samba AD DC.

The ssh client (devstation) has this in /etc/ssh/ssh_config

Host *
   PasswordAuthentication no
   SendEnv LANG LC_*
   HashKnownHosts yes
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIRenewalForcesRekey yes
   GSSAPITrustDns yes
Host *.samdom.example.com
   # It's best to limit this option to only trusted hosts:
   GSSAPIDelegateCredentials yes

The ssh server (rpidc2) has this in /etc/ssh/sshd_config

There is just this in /etc/krb5.conf

[libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

This all leads to this:

rowland at devstation:~$ ssh -K rpidc2.samdom.example.com Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Fri Oct 22 19:35:10 2021 from 192.168.0.49 SAMDOM\rowland at rpidc2:~$

Hope this helps.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list