I try to get Samba 4 with ssh running.
I found in the Script from Matthieu Patou tot he sysvol sync the follwing
intresting line.
---
kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]"
"[:upper:]"`\$
rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
---
when i understand correct he uses the domain controller service principle to
connect to the other domain controller. I know for that i need a working
/etc/krb5.keytab
e.g. i have two s4 dc's
bob
alice
i have done the following. I want to connect from bob to alice with the service
accounts
I added to the following to both of the dcs
sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
ssh_config
GSSAPIAuthentication yes
GSSAPIDelegationCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
After that i created the keytab i know i need an working ticket
Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$
I get the ticket with on bob for alice
kinit -v -k -t /etc/krb5.keytab alice$
after that i tryed to get an ssh connection to alice with (force gssapi
connection)
ssh -vvv -K alice\$@alice.example.local
when i look in the logs i see always on alice the follwing error messages by
alice
"No principal in keytab matches the desired name"
And
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$
service ssh-connection method none [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 0 failures 0 [preauth]
May 25 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3
May 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file
/var/log/btmp: No such file or directory
May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$
[preauth]
May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for
"alice$"
May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to
"bob.swi.local"
May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to
"ssh"
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$
service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$
service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$
service ssh-connection method gssapi-with-mic [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$
service ssh-connection method keyboard-interactive [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: keyboard-interactive devs [preauth]
May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge: user=alice$ devs=
[preauth]
May 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam'
[preauth]
May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge_start: trying
authentication method 'pam' [preauth]
I am confused. Is there something what i forgotten? PAM? I read that i need
maybe a "HOST/" principal for ssh. Is that the problem?
Anyone have an idea?
Sven
On Sun, 2014-05-25 at 11:56 +0000, Vogel, Sven wrote:> I try to get Samba 4 with ssh running. > > I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line. > > --- > > kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]" "[:upper:]"`\$ > > rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING > --- > > when i understand correct he uses the domain controller service principle to connect to the other domain controller. I know for that i need a working /etc/krb5.keytab > > e.g. i have two s4 dc's > > bob > alice > > i have done the following. I want to connect from bob to alice with the service accounts > > I added to the following to both of the dcs > > sshd_config > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > > ssh_config > GSSAPIAuthentication yes > GSSAPIDelegationCredentials yes > GSSAPIKeyExchange yes > GSSAPITrustDNS yes > > After that i created the keytab i know i need an working ticket > > Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$ > > I get the ticket with on bob for alice > > kinit -v -k -t /etc/krb5.keytab alice$ > > after that i tryed to get an ssh connection to alice with (force gssapi connection) > > ssh -vvv -K alice\$@alice.example.local > > when i look in the logs i see always on alice the follwing error messages by alice > > "No principal in keytab matches the desired name" > > And > > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method none [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 0 failures 0 [preauth] > May 25 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3 > May 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file /var/log/btmp: No such file or directory > May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$" > May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local" > May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh" > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method keyboard-interactive [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: keyboard-interactive devs [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam' [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] > > > I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem? > > Anyone have an idea? > > SvenExtract the machine key: samba-tool domain exportkeytab /etc/krb5.keytab --principal=ALICE$ if ssh needs host/ add that too. HTH Steve
On 25/05/14 12:56, Vogel, Sven wrote:> I try to get Samba 4 with ssh running. > > I found in the Script from Matthieu Patou tot he sysvol sync the follwing intresting line. > > --- > > kinit -k -t /etc/krb5.keytab `hostname -s | tr "[:lower:]" "[:upper:]"`\$ > > rsync -X -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING > --- > > when i understand correct he uses the domain controller service principle to connect to the other domain controller. I know for that i need a working /etc/krb5.keytab > > e.g. i have two s4 dc's > > bob > alice > > i have done the following. I want to connect from bob to alice with the service accounts > > I added to the following to both of the dcs > > sshd_config > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > > ssh_config > GSSAPIAuthentication yes > GSSAPIDelegationCredentials yes > GSSAPIKeyExchange yes > GSSAPITrustDNS yes > > After that i created the keytab i know i need an working ticket > > Samba-tool domain exportkeytab /etc/krb5.keytab -principal=alice$ > > I get the ticket with on bob for alice > > kinit -v -k -t /etc/krb5.keytab alice$ > > after that i tryed to get an ssh connection to alice with (force gssapi connection) > > ssh -vvv -K alice\$@alice.example.local > > when i look in the logs i see always on alice the follwing error messages by alice > > "No principal in keytab matches the desired name" > > And > > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method none [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 0 failures 0 [preauth] > May 25 13:43:44 alice sshd[29647]: Invalid user alice$ from 192.168.24.3 > May 25 13:43:44 alice sshd[29647]: debug1: Unable to open the btmp file /var/log/btmp: No such file or directory > May 25 13:43:44 alice sshd[29647]: input_userauth_request: invalid user alice$ [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: PAM: initializing for "alice$" > May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_RHOST to "bob.swi.local" > May 25 13:43:44 alice sshd[29647]: debug1: PAM: setting PAM_TTY to "ssh" > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 1 failures 0 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 2 failures 1 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method gssapi-with-mic [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 3 failures 2 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: userauth-request for user alice$ service ssh-connection method keyboard-interactive [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: attempt 4 failures 3 [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: keyboard-interactive devs [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge: user=alice$ devs= [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: kbdint_alloc: devices 'pam' [preauth] > May 25 13:43:44 alice sshd[29647]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] > > > I am confused. Is there something what i forgotten? PAM? I read that i need maybe a "HOST/" principal for ssh. Is that the problem? > > Anyone have an idea? > > SvenOK, I can connect from my second DC to my first DC via kerberos, try this: On Server you want to connect to (FIRST DC, bob in your case): nano /etc/ssh/sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIKeyExchange yes GSSAPIStrictAcceptorCheck no On Client (second DC, alice): samba-tool domain exportkeytab /etc/krb5.keytab --principal=ALICE$ kinit -k -t /etc/krb5.keytab -c /tmp/krb5cc_ALICE$ ALICE$ ssh -K ALICE\$@alice.example.local ################################################# On my system it led to this: root at dc2:~# ssh -K DC1\$@dc1.example.local Creating directory '/home/DOMAIN/DC1$'. Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sun May 25 16:24:38 BST 2014 System load: 0.04 Processes: 141 Usage of /home: 0.0% of 119.75GB Users logged in: 1 Memory usage: 50% IP address for eth0: 192.168.0.5 Swap usage: 0% Graph this data and manage this system at: https://landscape.canonical.com/ 0 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. DOMAIN\DC1dc1:~$ pwd /home/DOMAIN/DC1$ Rowland
Apparently Analagous Threads
- AIX SFTP with chroot : conection closed without error message
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- libssh2 is hanging during a file transfert
- Questions about inferred state machines for OpenSSH
- Subsystem sftp invoked even though forced command created