[Samba] OpenSSH with Kerberos?

Rowland Penny rpenny at samba.org
Mon Oct 25 08:50:23 UTC 2021


On Mon, 2021-10-25 at 08:47 +0200, L.P.H. van Belle via samba wrote:
> Good Morning Rowland. 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: vrijdag 22 oktober 2021 21:24
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] OpenSSH with Kerberos?
> > 
> > On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba
> > wrote:
> > > Hello,
> > > 
> > > I am trying to get OpenSSH to work with Kerberos, but am failing.
> > > I
> > > followed 
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> > > I still need to provide a password (the AD password does work!)
> > > instead of achieving single-sign-on. I did follow the recommended
> > > auth_to_local mapping.
> > > 
> > 
> > I cannot ssh with kerberos from a Samba AD DC, but I can ssh with
> > kerberos to a Samba AD DC.
> 
> On you last line you wrote Rowland..
> You cant login from an samba AD-DC to other samba AD-DC? 
> Works fine here, you tried with the defaults configs from debian. 
> And only enable-ing the GSSAPI part in sshd_config? 
> 
> That should work.
> 

Should and does are different things :-)

With the configs I posted earlier, I can log into a Unix domain member
from a Samba AD DC, but not visa-versa. I 'think' it must have
something to do with the DC expecting 'DOMAIN\username' and the Unix
domain member sending 'username'. I will investigate this as soon as
possible.

Rowland





More information about the samba mailing list