[Samba] OpenSSH with Kerberos?

L.P.H. van Belle belle at bazuin.nl
Mon Oct 25 06:40:59 UTC 2021


Looks like its missing a setting in kerberos (/etc/krb5.conf) to me. 

>From wiki what i did and did not. 

I did not make any changes in /etc/security/pam_winbind.conf 
I did not add the parts in krb5.conf
I dont have my "user homedir" mapped also, only admins login on my AD-DC's. 

I dont advice setting this one, unles is really really needed, but better fix the DNS setup.
[libdefaults]
    rdns = false

And Ssh client setup as showin in the wiki..

And.. it "just" works. 

If its because you also use other softare, symlin krb5.keytab to /etc/krb5.keytab 
But should not be needed.



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: zaterdag 23 oktober 2021 12:52
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] OpenSSH with Kerberos?
> 
> On Sat, 2021-10-23 at 11:28 +0200, Joachim Lindenberg via samba wrote:
> > Hello Rowland,
> > thanks for giving it a try, but didn´t help so far. 
> > Following 
> > 
> https://www.ibm.com/support/pages/debugging-sshd-without-impac
ting-existing-sshd-sessions
> > I fired up a debug server and got
> > debug1: Unspecified GSS failure.  Minor code may provide more
> > information
> > 
> > Key table file '/etc/krb5.keytab' not found
> 
> Forget that Samba wiki page, it doesn't seem to work.
> Did you set /etc/ssh/ssh_config on the ssh client as I 
> showed, no other
> lines ?
> Did you set /etc/ssh/sshd_config on the ssh server as I showed, no
> other lines ?
> 
> Did you set /etc/krb5.conf on both machines as I showed ?
> Is the user known on both machines as a 'local' (does 'getent passwd
> username' produce output ?) 
> 
> If all the above is correct, then running this:
> 
> ssh -K rpidc2.samdom.example.com -v
> 
> Should produce something like this:
> 
> rowland at devstation:~$ ssh -K rpidc2.samdom.example.com -v
> OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
> debug1: Reading configuration data /home/rowland/.ssh/config
> debug1: /home/rowland/.ssh/config line 1: Applying options for
> rpidc2.samdom.example.com
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug1: /etc/ssh/ssh_config line 61: Applying options for
> *.samdom.example.com
> debug1: Connecting to rpidc2.samdom.example.com [192.168.0.4] port 22.
> debug1: Connection established.
> debug1: identity file /home/rowland/.ssh/id_rsa type 0
> debug1: identity file /home/rowland/.ssh/id_rsa-cert type -1
> debug1: identity file /home/rowland/.ssh/id_dsa type -1
> debug1: identity file /home/rowland/.ssh/id_dsa-cert type -1
> debug1: identity file /home/rowland/.ssh/id_ecdsa type -1
> debug1: identity file /home/rowland/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/rowland/.ssh/id_ed25519 type 3
> debug1: identity file /home/rowland/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/rowland/.ssh/id_xmss type -1
> debug1: identity file /home/rowland/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1
> debug1: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH*
> compat 0x04000000
> debug1: Authenticating to rpidc2.samdom.example.com:22 as 'rowland'
> debug1: Offering GSSAPI proposal: gss-gex-sha1-
> toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-
> group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-
> eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-
> group14-sha1-eipGX3TCiQSrx573bT1o1Q==
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:5IIf4cKddxvWfp20c2hPo6z5a+jtAmeGoHWrDHnw4nU
> debug1: Host 'rpidc2.samdom.example.com' is known and matches 
> the ECDSA
> host key.
> debug1: Found key in /home/rowland/.ssh/known_hosts:225
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: rekey after 134217728 blocks
> debug1: Will attempt key: /home/rowland/.ssh/id_ed25519 ED25519
> SHA256:tTo2urUSsZgZufWKJvFCyI9uCrNikcpArBi0AvYvmHk agent
> debug1: Will attempt key: /home/rowland/.ssh/id_rsa RSA
> SHA256:L0GMmCkgo7Ik3ncxWUJdcGIfRAGWnENt2gdSyNKgA4c agent
> debug1: Will attempt key: /home/rowland/.ssh/id_dsa 
> debug1: Will attempt key: /home/rowland/.ssh/id_ecdsa 
> debug1: Will attempt key: /home/rowland/.ssh/id_xmss 
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-
> sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-
> nistp384,ecdsa-sha2-nistp521>
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,gssapi-
> keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentication succeeded (gssapi-with-mic).
> Authenticated to rpidc2.samdom.example.com ([192.168.0.4]:22).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions at openssh.com
> debug1: Entering interactive session.
> debug1: pledge: network
> debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
> want_reply 0
> debug1: Sending environment.
> debug1: Sending env LANG = en_GB.UTF-8
> Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 
> 2021 armv7l
> 
> The programs included with the Debian GNU/Linux system are free
> software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
> 
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Sun Aug  1 11:37:28 2021 from 192.168.0.49
> SAMDOM\rowland at rpidc2:~$
> 
> As you can see the user can SSH from 'devstation' to 'rpidc2'
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list