Quinn Plattel
2012-Jul-10 14:07 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using "no" will, according to the manpage "clients may authenticate against any service key stored in the machine's default store." I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn
Ritter, Marcel - RRZE
2012-Jul-11 06:32 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Quinn,
I just tried your solution (my machine is also multi-homed). However it
doesn't work for me. The man-page of sshd_config also states, that the
behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
krb5 libraries.
Could you please have a look at the krb5 and openssh versions you're
using (and perhaps the linux distribution/version)?
BTW: I'm running:
Ubuntu 12.04 LTS
openssh-server 5.9p1-5ubuntu1
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
auth.log mentions (during failed login):
Unspecified GSS failure.
Minor code may provide more information:
Wrong principal in request
Thanks,
Marcel
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im Auftrag von Quinn Plattel
Gesendet: Dienstag, 10. Juli 2012 16:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with
samba4's kerberos GSSAPI? [Solved]
Hi,
I solved my ssh GSSAPI problem. There were a lot of solutions on google
referring to a proper fqdn in the /etc/hosts file and having the
fqdn's/principals in the kerberos server's keytab file but I found out
that my problem was that the samba4/kerberos server was running on a multi-homed
machine and that the ssh server kerberos authentication needed the following
parameter in order for it to work on multi-homed machines:
GSSAPIStrictAcceptorCheck no
The default is yes, using "no" will, according to the manpage
"clients may authenticate against any service key stored in the
machine's default store."
I hope this helps others that have similar setups as I do.
Thank you all for your input.
br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Quinn Plattel
2012-Jul-16 12:34 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-) br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:> Hi, > > I solved my ssh GSSAPI problem. There were a lot of solutions on google > referring to a proper fqdn in the /etc/hosts file and having the > fqdn's/principals in the kerberos server's keytab file but I found out that > my problem was that the samba4/kerberos server was running on a multi-homed > machine and that the ssh server kerberos authentication needed the > following parameter in order for it to work on multi-homed machines: > > GSSAPIStrictAcceptorCheck no > > The default is yes, using "no" will, according to the manpage "clients may > authenticate against any service key stored in the machine's default store." > > I hope this helps others that have similar setups as I do. > > Thank you all for your input. > > br, > Quinn > > > >-- Best regards/Med venlig hilsen, Quinn Plattel