[Samba] OpenSSH with Kerberos?

Joachim Lindenberg samba at lindenberg.one
Mon Oct 25 17:01:35 UTC 2021 

Hello Rowland, Louis,
thanks for your support! 

I do have ssh_config as suggested, except for PasswordAuthentication no - I don´t want to lock out myself for now, and the debug output doesn´t suggest that is the culprit.
You didn´t include an sshd_config unless it is supposed to be empty. Nevertheless got it to work. Actually krb5.conf was the culprit on that DC. I now can login locally and from a Windows client. Not yet sure it was just the recommended mapping or some other garbage in it.

Then I tried to reproduce the same on another DC, as I went through some more debugging before, and got it to work after:
Modifications to /etc/samba/smb.conf  and /etc/security/pam_winbind.conf  as in https://wiki.samba.org/index.php/OpenSSH_Single_sign-on 
Modifications to /etc/nsswitch.conf as https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
Modifications due to https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM.

Afai can tell, the  ln -s /var/lib/samba/private/secrets.keytab krb5.keytab is required, but don´t know why.

Not all of them might be relevant though. One finding suggested by you I can confirm: one cannot login from a DC to another DC even though one can login locally on a DC using SSH - looking forward to get to know why that doesn´t work.
I didn´t yet try on a domain member, need to install one first (actually install finished, conf and test not yet done).
Thanks, Joachim


-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Monday, 25 October 2021 10:50
An: samba at lists.samba.org
Betreff: Re: [Samba] OpenSSH with Kerberos?

On Mon, 2021-10-25 at 08:47 +0200, L.P.H. van Belle via samba wrote:
> Good Morning Rowland. 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland 
> > Penny via samba
> > Verzonden: vrijdag 22 oktober 2021 21:24
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] OpenSSH with Kerberos?
> > 
> > On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba
> > wrote:
> > > Hello,
> > > 
> > > I am trying to get OpenSSH to work with Kerberos, but am failing.
> > > I
> > > followed
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> > > I still need to provide a password (the AD password does work!) 
> > > instead of achieving single-sign-on. I did follow the recommended 
> > > auth_to_local mapping.
> > > 
> > 
> > I cannot ssh with kerberos from a Samba AD DC, but I can ssh with 
> > kerberos to a Samba AD DC.
> 
> On you last line you wrote Rowland..
> You cant login from an samba AD-DC to other samba AD-DC? 
> Works fine here, you tried with the defaults configs from debian. 
> And only enable-ing the GSSAPI part in sshd_config? 
> 
> That should work.
> 

Should and does are different things :-)

With the configs I posted earlier, I can log into a Unix domain member from a Samba AD DC, but not visa-versa. I 'think' it must have something to do with the DC expecting 'DOMAIN\username' and the Unix domain member sending 'username'. I will investigate this as soon as possible.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list