Quinn Plattel
2012-Jul-10 14:07 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using "no" will, according to the manpage "clients may authenticate against any service key stored in the machine's default store." I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn
Ritter, Marcel - RRZE
2012-Jul-11 06:32 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of "GSSAPIStrictAcceptorCheck" may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using "no" will, according to the manpage "clients may authenticate against any service key stored in the machine's default store." I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Quinn Plattel
2012-Jul-16 12:34 UTC
[Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-) br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel <qiet72 at gmail.com> wrote:> Hi, > > I solved my ssh GSSAPI problem. There were a lot of solutions on google > referring to a proper fqdn in the /etc/hosts file and having the > fqdn's/principals in the kerberos server's keytab file but I found out that > my problem was that the samba4/kerberos server was running on a multi-homed > machine and that the ssh server kerberos authentication needed the > following parameter in order for it to work on multi-homed machines: > > GSSAPIStrictAcceptorCheck no > > The default is yes, using "no" will, according to the manpage "clients may > authenticate against any service key stored in the machine's default store." > > I hope this helps others that have similar setups as I do. > > Thank you all for your input. > > br, > Quinn > > > >-- Best regards/Med venlig hilsen, Quinn Plattel