Quinn Plattel
2012-Jul-09 13:12 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
I am doing some kerberos testing with samba4 using ssh. I have setup
samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and
active directory seems to be working both with Windows and Linux clients.
ssh unfortunately is not kerberos authenticating via GSSAPI. The client
krb5.conf contains this:
====================================================[libdefaults]
default_realm = MYDOMAIN.NET
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_fallback = yes
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.NET = {
kdc = cofil01.mydomain.net:88
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
[login]
krb4_convert = true
krb4_get_tickets = false
===================================================
The server side krb5.conf contains this:
===================================================[libdefaults]
default_realm = MYDOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = true
===================================================
No kerberos errors shows up in "log.samba" on the server side even
though
samba is started with "-d 5"
On the client side, I do a "kinit user" - it succeeds.
I then do a klist and it lists my current ticket for user.
Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following
lines:
===================================================debug2: we sent a
gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
===================================================
"hostname -f" on the client reveals:
ubuntu-test.mydomain.net
I can both forward and reverse resolve cofil01.mydomain.net on the client
side.
Is it necessary to create a /etc/krb5.keytab file on the client in order
for ssh kerberos authentication to work?
--
br,
Quinn
Quinn Plattel
2012-Jul-09 13:16 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
Hi,
Forgot to mention that the client side's ssh configuration
(/etc/ssh/ssh_config) has the following lines:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes
The server side ssh configuration (/etc/ssh/sshd_config) has the following
lines:
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
br,
Quinn
On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote:
> Hi,
>
> I am doing some kerberos testing with samba4 using ssh. I have setup
> samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTOand
active directory seems to be working both with Windows and Linux
> clients.
> ssh unfortunately is not kerberos authenticating via GSSAPI. The client
> krb5.conf contains this:
>
> ====================================================> [libdefaults]
> default_realm = MYDOMAIN.NET
>
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> dns_fallback = yes
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> MYDOMAIN.NET = {
> kdc = cofil01.mydomain.net:88
> default_domain = mydomain.net
> }
>
> [domain_realm]
> .mydomain.net = MYDOMAIN.NET
> mydomain.net = MYDOMAIN.NET
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> ===================================================>
> The server side krb5.conf contains this:
> ===================================================> [libdefaults]
> default_realm = MYDOMAIN.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ===================================================>
> No kerberos errors shows up in "log.samba" on the server side
even though
> samba is started with "-d 5"
> On the client side, I do a "kinit user" - it succeeds.
> I then do a klist and it lists my current ticket for user.
> Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the
following
> lines:
>
> ===================================================> debug2: we sent a
gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> ===================================================>
> "hostname -f" on the client reveals:
> ubuntu-test.mydomain.net
>
> I can both forward and reverse resolve cofil01.mydomain.net on the client
> side.
> Is it necessary to create a /etc/krb5.keytab file on the client in order
> for ssh kerberos authentication to work?
>
>
> --
> br,
> Quinn
>
Quinn Plattel
2012-Jul-10 07:14 UTC
[Samba] Fwd: How do I get an ssh client to authenticate with samba4's kerberos GSSAPI?
This should go to the list as well.... ---------- Forwarded message ---------- From: Quinn Plattel <qiet72 at gmail.com> Date: Tue, Jul 10, 2012 at 9:13 AM Subject: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? To: "Ritter, Marcel - RRZE" <marcel.ritter at rrze.fau.de> Hi Marcel, Maybe you could do a "klist -ke /etc/krb5.keytab" on both machines so we can see the differences? br, Quinn On Mon, Jul 9, 2012 at 5:17 PM, Ritter, Marcel - RRZE < marcel.ritter at rrze.fau.de> wrote:> Hi Quinn, > > I've tried to get ssh Kerberos/gssapi login working on my Samba4 DC, > no luck so far. > > However, after joining two VMs to this domain using Samba 3, ssh > logins work between those two machines (not towards the DC). > > The only relevant difference I found while searching for a solution, > were differences in the krb5.keytab: it looks like Samba4 and Samba3 > create different entries there (upper/lower case differ). I don't have > the VMs up and running at the moment, but I can supply the details if > it helps to fix this problem - just let me know. > > Bye, > Marcel > > -----Urspr?ngliche Nachricht----- > Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] > Im Auftrag von Quinn Plattel > Gesendet: Montag, 9. Juli 2012 15:17 > An: samba > Betreff: Re: [Samba] How do I get an ssh client to authenticate with > samba4's kerberos GSSAPI? > > Hi, > > Forgot to mention that the client side's ssh configuration > (/etc/ssh/ssh_config) has the following lines: > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > GSSAPITrustDns yes > > The server side ssh configuration (/etc/ssh/sshd_config) has the following > lines: > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > GSSAPICleanupCredentials yes > > br, > Quinn > > > On Mon, Jul 9, 2012 at 3:12 PM, Quinn Plattel <qiet72 at gmail.com> wrote: > > > Hi, > > > > I am doing some kerberos testing with samba4 using ssh. I have setup > > samba4 using the howto at > > http://wiki.samba.org/index.php/Samba4/HOWTOand active directory seems > to be working both with Windows and Linux clients. > > ssh unfortunately is not kerberos authenticating via GSSAPI. The > > client krb5.conf contains this: > > > > ====================================================> > [libdefaults] > > default_realm = MYDOMAIN.NET > > > > krb4_config = /etc/krb.conf > > krb4_realms = /etc/krb.realms > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > dns_fallback = yes > > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > > > > v4_instance_resolve = false > > v4_name_convert = { > > host = { > > rcmd = host > > ftp = ftp > > } > > plain = { > > something = something-else > > } > > } > > fcc-mit-ticketflags = true > > > > [realms] > > MYDOMAIN.NET = { > > kdc = cofil01.mydomain.net:88 > > default_domain = mydomain.net > > } > > > > [domain_realm] > > .mydomain.net = MYDOMAIN.NET > > mydomain.net = MYDOMAIN.NET > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > ===================================================> > > > The server side krb5.conf contains this: > > ===================================================> > [libdefaults] > > default_realm = MYDOMAIN.NET > > dns_lookup_realm = false > > dns_lookup_kdc = true > > ===================================================> > > > No kerberos errors shows up in "log.samba" on the server side even > > though samba is started with "-d 5" > > On the client side, I do a "kinit user" - it succeeds. > > I then do a klist and it lists my current ticket for user. > > Then I try "ssh -vvvl user cofil01.mydomain.net" , I get the following > > lines: > > > > ===================================================> > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > ===================================================> > > > "hostname -f" on the client reveals: > > ubuntu-test.mydomain.net > > > > I can both forward and reverse resolve cofil01.mydomain.net on the > > client side. > > Is it necessary to create a /etc/krb5.keytab file on the client in > > order for ssh kerberos authentication to work? > > > > > > -- > > br, > > Quinn > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Best regards/Med venlig hilsen, Quinn Plattel -- Best regards/Med venlig hilsen, Quinn Plattel