Hello, I am trying to get OpenSSH to work with Kerberos, but am failing. I followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but I still need to provide a password (the AD password does work!) instead of achieving single-sign-on. I did follow the recommended auth_to_local mapping. In case that matters. Actually I am trying with both putty from windows and ssh from Ubuntu, ssh -v Joachim at boa.samba.lindenberg.one <mailto:Joachim at boa.samba.lindenberg.one> . In both cases I can use my AD password and login, but I thought there should be no prompt at all for password. After login, I am listed as SAMBA\joachim ? not the SAMBA\Joachim I was expecting. As both clients fail, I suspect a server configuration issue, but which? Thanks, Joachim
On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote:> Hello, > > I am trying to get OpenSSH to work with Kerberos, but am failing. I > followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but > I still need to provide a password (the AD password does work!) > instead of achieving single-sign-on. I did follow the recommended > auth_to_local mapping. >I cannot ssh with kerberos from a Samba AD DC, but I can ssh with kerberos to a Samba AD DC. The ssh client (devstation) has this in /etc/ssh/ssh_config Host * PasswordAuthentication no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes GSSAPITrustDns yes Host *.samdom.example.com # It's best to limit this option to only trusted hosts: GSSAPIDelegateCredentials yes The ssh server (rpidc2) has this in /etc/ssh/sshd_config There is just this in /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true This all leads to this: rowland at devstation:~$ ssh -K rpidc2.samdom.example.com Linux rpidc2 5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Oct 22 19:35:10 2021 from 192.168.0.49 SAMDOM\rowland at rpidc2:~$ Hope this helps. Rowland
Good Morning Rowland.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: vrijdag 22 oktober 2021 21:24 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] OpenSSH with Kerberos? > > On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba wrote: > > Hello, > > > > I am trying to get OpenSSH to work with Kerberos, but am failing. I > > followed > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but > > I still need to provide a password (the AD password does work!) > > instead of achieving single-sign-on. I did follow the recommended > > auth_to_local mapping. > > > > I cannot ssh with kerberos from a Samba AD DC, but I can ssh with > kerberos to a Samba AD DC.On you last line you wrote Rowland.. You cant login from an samba AD-DC to other samba AD-DC? Works fine here, you tried with the defaults configs from debian. And only enable-ing the GSSAPI part in sshd_config? That should work. Greetz, Louis