Hi, I'm having a problem with ssh and sssd in a samba4 ad environment. If I logon a linux client everything works fine. When entering klist I'm able to see my ticket. When I try to connect/logon to another linux client with ssh it is possible, but klist shows: klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. So the ticket cache is not created during logon. I'm using sssd with the following sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = $DOMAINNAME$ [nss] [pam] [domain/$DOMAINNAME$] id_provider = ad access_provider = ad ldap_id_mapping=false krb5_keytab=/etc/krb5.keytab And sshd with to following sshd_config: AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no GSSAPIStoreCredentialsOnRekey yes UsePAM yes X11Forwarding yes UseDNS no Subsystem sftp /usr/lib/ssh/sftp-server AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL /etc/pam.d/sshd directs to the default pam.d configurations. -- Viele Gr??e Andreas Hauffe
On 26/02/15 15:21, Andreas Hauffe wrote:> Hi, > > I'm having a problem with ssh and sssd in a samba4 ad environment. > > If I logon a linux client everything works fine. When entering klist I'm able > to see my ticket. When I try to connect/logon to another linux client with ssh > it is possible, but klist shows: > klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. > > So the ticket cache is not created during logon. > > I'm using sssd with the following sssd.conf: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = $DOMAINNAME$ > > [nss] > > [pam] > > [domain/$DOMAINNAME$] > id_provider = ad > access_provider = ad > ldap_id_mapping=false > krb5_keytab=/etc/krb5.keytab > > And sshd with to following sshd_config: > > AuthorizedKeysFile .ssh/authorized_keys > PasswordAuthentication no > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > GSSAPIStrictAcceptorCheck no > GSSAPIStoreCredentialsOnRekey yes > UsePAM yes > X11Forwarding yes > UseDNS no > Subsystem sftp /usr/lib/ssh/sftp-server > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL > > /etc/pam.d/sshd directs to the default pam.d configurations. >Hi, neither 'ssh' or 'sssd' have anything to do with samba, but just a hint, remove 'UseDNS no', kerberos depends on dns. If this doesn't work, you may get more help on the sssd mailing list. Rowland
On Thu, 26 Feb 2015, Andreas Hauffe wrote:> If I logon a linux client everything works fine. When entering klist I'm able > to see my ticket. When I try to connect/logon to another linux client with ssh > it is possible, but klist shows: > klist: Credentials cache file '/run/user/$UID$/krb5cc/tkt' not found. > > So the ticket cache is not created during logon.You need to add the following to your ssh client config (either /etc/ssh/ssh_config or ~/.ssh/config): Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes You can replace the * with your domain, but then you'll have to log into hosts using the full DNS name (as Rowland mentioned, DNS matters, though UseDNS in sshd doesn't seem to have any effect for me in this case.)