samba - Feb 2014 - samba4 success/failure report...all's working despite kerberized ssh

Just a tip...

is all server have same time ?

not sure that will help you.. 

-----------------------------------
St?phane PURNELLE                         Admin. Syst?mes et R?seaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-technical-bounces at lists.samba.org wrote on 20/02/2014 10:46:38:
> De : Georg Hopp <georg at steffers.org>
> A : Sumit Bose <sbose at redhat.com>, 
> Cc : samba-technical at lists.samba.org
> Date : 20/02/2014 10:47
> Objet : Re: samba4 success/failure report...all's working despite 
> kerberized ssh
> Envoy? par : samba-technical-bounces at lists.samba.org
> 
> On Wed, Feb 19, 2014 at 12:09:32PM +0000, Georg Hopp wrote:
> > On Wed, Feb 19, 2014 at 11:50:59AM +0100, Sumit Bose wrote:
> > > 
> > > This looks all good, the additional output after kdestroy is due
to
the
> > > fact that the TGT must be requested here too.
> > > 
> > > Can you run sshd on mail with KRB5_TRACE as well?
> > > 
> > > bye,
> > > Sumit
> > > 
> > 
> > KRB5_TRACE=/dev/stdout /usr/sbin/sshd -ddd -p 2222
> > 
> > I am sorry, this does not reveal any new messages...
> > 
> > but I think kerberos authentication is active:
> 
> OK, I have no more idea...
> 
> I also added a .k5login file in the users homedir in the server.
> Content was only one line:
> 
> test at WEIRD-WEB-WORKERS.ORG
> 
> But this hasen't helped either. If I understand the use of .k5login
> correct it's purpose is for mappings if the username within the
> directory is not the same as on the system, e.g. if I want to
> let test log into an account foo on the system.
> 
> To summarize:
> 
> - The user is configured in samba4 ldap (no local user)
> - Not using gssapi and use password challange works.
>    * It does not matter if I deactivate gssapi in the client or server,
>      as soon as it is deactivated I get a password challange and can
>      log in.
> - As soon as client and server are configured to use gssapi the server
>   closes the connection when it should process the gssapi-with-mic
>   package.
> 
> Hmm, this gssapi-with-mic packet should be traceable...
> I could send in a tcpdump if that would be of any help but I
> don't know what options to use for it to generate useful output.
> 
> Can anyone help me with this...
> 
> best regards
>    Georg
> [attachment "signature.asc" deleted by St?phane
PURNELLE/COR/SOPARIND]