Hi,
at first I'm not sure if this is the correct list to ask this question.
But since I'm using winbind I hope you can help me.
I try to realize a kerberized ssh from one client to another. Both
clients are member of subdom2.subdom1.example.de and joined to it. The
users are from example.de, where subdom1.example.de is a subdomain
(bidirectional trust) of example.de and subdom2.subdom1.example.de is a
subdomain (bidirectional trust) of subdom1.example.de.
When I try to ssh to a client I'm getting the service ticket for the
client. But it still prompts the password question.
On the ssh-client side I'm getting the following SSH debug information:
...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug2: resolving "computer1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to computer1 [141.30.156.36] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to computer1:22 as 'EXAMPLE+user1'
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01
at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at
openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/home/user1/.ssh/known_hosts:59
debug3: load_hostkeys: loaded 1 keys from 141.30.156.36
debug1: Host 'computer1' is known and matches the ECDSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:60
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent
debug2: key: /home/user1/.ssh/id_dsa ((nil))
debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 141.30.156.36.
[6355] 1509525451.837186: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.837196: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.837202: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.837219: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.837375: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.837411: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.837451: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.837493: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 60
debug1: Delegating credentials
[6355] 1509525451.838235: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.838244: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.838248: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.838269: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.838406: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.838431: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.838457: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.838506: Retrieving user1 at EXAMPLE.DE ->
krbtgt/EXAMPLE.DE at EXAMPLE.DE from FILE:/tmp/krb5cc_103321 with result:
0/Success
[6355] 1509525451.838542: Get cred via TGT krbtgt/EXAMPLE.DE at EXAMPLE.DE
after requesting krbtgt/EXAMPLE.DE at EXAMPLE.DE (canonicalize off)
[6355] 1509525451.838552: Generated subkey for TGS request: aes256-cts/6A11
[6355] 1509525451.838577: etypes requested in TGS request: aes256-cts
[6355] 1509525451.838619: Encoding request body and padata into FAST request
[6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE
[6355] 1509525451.839682: Resolving hostname domdc8.example.de.
[6355] 1509525451.839691: Resolving hostname domdc6.example.de.
[6355] 1509525451.839694: Resolving hostname domdc7.example.de.
[6355] 1509525451.839697: Resolving hostname domdc5.example.de.
[6355] 1509525451.839699: Resolving hostname domdc8.example.de.
[6355] 1509525451.839711: Initiating TCP connection to stream 172.26.40.8:88
[6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88
[6355] 1509525451.842021: Received answer (2706 bytes) from stream
172.26.40.8:88
[6355] 1509525451.842449: Response was not from master KDC
[6355] 1509525451.842459: Decoding FAST response
[6355] 1509525451.842515: FAST reply key: aes256-cts/4A19
[6355] 1509525451.842535: TGS reply is for user1 at EXAMPLE.DE ->
krbtgt/EXAMPLE.DE at EXAMPLE.DE with session key aes256-cts/4A0D
[6355] 1509525451.842549: Got cred; 0/Success
[6355] 1509525451.842596: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72
debug3: send packet: type 61
debug3: receive packet: type 61
debug1: Delegating credentials
[6355] 1509525451.848142: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.848152: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.848156: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.848166: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey
aes256-cts/5EEA, seqnum 91190375
debug3: send packet: type 66
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.849839: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.849848: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.849853: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.849864: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.849970: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.849995: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.850020: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.850048: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.850462: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.850467: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.850470: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.850476: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.850547: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.850569: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.850591: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.850611: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
[6355] 1509525451.851143: Convert service host (service with host as
instance) on host computer1.subdom2.subdom1.example.de to principal
[6355] 1509525451.851147: Remote host after forward canonicalization:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.851150: Remote host after reverse DNS processing:
computer1.subdom2.subdom1.example.de
[6355] 1509525451.851156: Got service principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.851226: ccselect can't find appropriate cache for
server principal
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
[6355] 1509525451.851284: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.851306: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.851336: Getting credentials user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
using ccache FILE:/tmp/krb5cc_103321
[6355] 1509525451.851355: Retrieving user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE
from FILE:/tmp/krb5cc_103321 with result: 0/Success
[6355] 1509525451.851374: Creating authenticator for user1 at EXAMPLE.DE ->
host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE,
seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug3: no such identity: /home/user1/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or
directory
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug3: no such identity: /home/user1/.ssh/id_ed25519: No such file or
directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
On the sshd-server side:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 530
debug2: parse_server_config: config /etc/ssh/sshd_config len 530
debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no
debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp
/usr/lib/ssh/sftp-server
debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE
LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME
LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:139 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016
debug1: private host key #0: ssh-rsa
SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM
debug1: private host key #1: ssh-dss
SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
debug1: private host key #3: ssh-ed25519
SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2233'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2233 on 0.0.0.0.
Server listening on 0.0.0.0 port 2233.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 2233 on ::.
Server listening on :: port 2233.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 530
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233
debug1: Client protocol version 2.0; client software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms:
ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at
openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug3: receive packet: type 30
debug3: send packet: type 31
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: send packet: type 7
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: receive packet: type 5
debug3: send packet: type 6
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 530
debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1
debug1: PAM: initializing for "EXAMPLE+user1"
debug1: PAM: setting PAM_RHOST to "141.30.156.114"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: send packet: type 60
Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port
45018 ssh2
debug3: receive packet: type 61
debug1: Received some client credentials
debug3: send packet: type 61
debug3: receive packet: type 66
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method gssapi-with-mic
debug1: attempt 4 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method publickey
debug1: attempt 5 failures 1
debug2: input_userauth_request: try method publickey
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for
RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8
debug1: temporarily_use_uid: 103321/10513 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: Could not open authorized keys
'/home/user1/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512
Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection
method keyboard-interactive
debug1: attempt 6 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=EXAMPLE+user1 devsdebug1: kbdint_alloc: devices
'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: send packet: type 60
Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114
port 45018 ssh2
smb.conf:
[global]
netbios name = computer1
security = ADS
workgroup = SUBDOM2
realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config SUBDOM2 : backend = rid
idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-9999999 # UID aus RID fuer DOM
krb5.conf:
[libdefaults]
default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.DE = {
auth_to_local = RULE:[1:EXAMPLE+$1]
}
SUBDOM1.EXAMPLE.DE = {
auth_to_local = RULE:[1:SUBDOM1+$1]
}
SUBDOM2.SUBDOM1.EXAMPLE.DE = {
auth_to_local = RULE:[1:SUBDOM2+$1]
}
[domain_realm]
.subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
.subdom1.example.de = SUBDOM1.EXAMPLE.DE
subdom1.example.de = SUBDOM1.EXAMPLE.DE
.example.de = EXAMPLE.DE
example.de = EXAMPLE.DE
[capaths]
SUBDOM2.SUBDOM1.EXAMPLE.DE = {
SUBDOM1.EXAMPLE.DE = .
EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
}
SUBDOM1.EXAMPLE.DE = {
SUBDOM2.SUBDOM1.EXAMPLE.DE = .
EXAMPLE.DE = .
}
EXAMPLE.DE = {
SUBDOM1.EXAMPLE.DE = .
SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:DEBUG:DAEMON
sshd_config:
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
--
Regards,
Andreas
I can suggest a few things. krb5.conf ( if you use nfsv4 with kerberized mounts _ [libdefaults] ignore_k5login = true in But, it does not look like it in you logs your useing kerberized mounts. Im missing in SSHD_config : UseDNS yes And the defaults : # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes Are sufficient for a normal ssh kerberized login. Optional, depending on the use of your server, and if you SSH supports it. ( use man sshd_config to look the up ) GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes I assume, that, server and client do have A and PTR records AND both servers have nfs/FQDN at REALM in the keytab. Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 That looks to me the UseDNS yes, may solve it if its keytab/resolving related. If not, then i would try first to change the winbind separator winbind separator = + to \ ( and correct krb5.conf also ) I cant recall where i did read that, but that may solv it also. If these did not fix it, post the following please. You OS and samba version. cat /etc/resolv.conf cat /etc/hosts dig -x server_ip dig -x client_ip What i do on debian, is the following. Setup samba ( my configs, see my github howtos (github.com/thctlo/samba4 ) apt-get install ssh-krb5 pam-auth-update And i can use sso logins. So try above, and report back. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Hauffe via samba > Verzonden: woensdag 1 november 2017 9:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Winbind, Kerberos, SSH and Single Sign On > > Hi, > > at first I'm not sure if this is the correct list to ask this > question. > But since I'm using winbind I hope you can help me. > > I try to realize a kerberized ssh from one client to another. Both > clients are member of subdom2.subdom1.example.de and joined > to it. The > users are from example.de, where subdom1.example.de is a subdomain > (bidirectional trust) of example.de and > subdom2.subdom1.example.de is a > subdomain (bidirectional trust) of subdom1.example.de. > > When I try to ssh to a client I'm getting the service ticket for the > client. But it still prompts the password question. > > On the ssh-client side I'm getting the following SSH debug > information: > > ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1 > OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016 > debug1: Reading configuration data /home/user1/.ssh/config > debug1: /home/user1/.ssh/config line 17: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 25: Applying options for * > debug2: resolving "computer1" port 22 > debug2: ssh_connect_direct: needpriv 0 > debug1: Connecting to computer1 [141.30.156.36] port 22. > debug1: Connection established. > debug1: identity file /home/user1/.ssh/id_rsa type 1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.2 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_7.2 > debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 > debug2: fd 3 setting O_NONBLOCK > debug1: Authenticating to computer1:22 as 'EXAMPLE+user1' > debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /home/user1/.ssh/known_hosts:60 > debug3: load_hostkeys: loaded 1 keys from computer1 > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c > ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e > cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local client KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist > p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, > ext-info-c > debug2: host key algorithms: > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c > ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e > cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh > -ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh > -dss-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-25 > 6,ssh-rsa,ssh-dss > debug2: ciphers ctos: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 > 92-cbc,aes256-cbc,3des-cbc > debug2: ciphers stoc: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 > 92-cbc,aes256-cbc,3des-cbc > debug2: MACs ctos: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib at openssh.com > debug2: compression stoc: none,zlib at openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug2: peer server KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist > p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > iffie-hellman-group14-sha1 > debug2: host key algorithms: > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, > ssh-ed25519 > debug2: ciphers ctos: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com > debug2: ciphers stoc: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com > debug2: MACs ctos: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib at openssh.com > debug2: compression stoc: none,zlib at openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: curve25519-sha256 at libssh.org > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: > chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none > debug1: kex: client->server cipher: > chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host key: ecdsa-sha2-nistp256 > SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso > debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /home/user1/.ssh/known_hosts:60 > debug3: load_hostkeys: loaded 1 keys from computer1 > debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /home/user1/.ssh/known_hosts:59 > debug3: load_hostkeys: loaded 1 keys from 141.30.156.36 > debug1: Host 'computer1' is known and matches the ECDSA host key. > debug1: Found key in /home/user1/.ssh/known_hosts:60 > debug3: send packet: type 21 > debug2: set_newkeys: mode 1 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: receive packet: type 21 > debug2: set_newkeys: mode 0 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS received > debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent > debug2: key: /home/user1/.ssh/id_dsa ((nil)) > debug2: key: /home/user1/.ssh/id_ecdsa ((nil)) > debug2: key: /home/user1/.ssh/id_ed25519 ((nil)) > debug3: send packet: type 5 > debug3: receive packet: type 7 > debug1: SSH2_MSG_EXT_INFO received > debug1: kex_input_ext_info: > server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > debug3: receive packet: type 6 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug3: send packet: type 50 > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug3: Trying to reverse map address 141.30.156.36. > [6355] 1509525451.837186: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.837196: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.837202: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.837219: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.837375: ccselect can't find appropriate cache for > server principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.837411: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.837451: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.837493: Creating authenticator for > user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, > seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72 > debug3: send packet: type 50 > debug2: we sent a gssapi-with-mic packet, wait for reply > debug3: receive packet: type 60 > debug1: Delegating credentials > [6355] 1509525451.838235: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.838244: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.838248: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.838269: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.838406: ccselect can't find appropriate cache for > server principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.838431: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.838457: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.838506: Retrieving user1 at EXAMPLE.DE -> > krbtgt/EXAMPLE.DE at EXAMPLE.DE from FILE:/tmp/krb5cc_103321 > with result: > 0/Success > [6355] 1509525451.838542: Get cred via TGT > krbtgt/EXAMPLE.DE at EXAMPLE.DE > after requesting krbtgt/EXAMPLE.DE at EXAMPLE.DE (canonicalize off) > [6355] 1509525451.838552: Generated subkey for TGS request: > aes256-cts/6A11 > [6355] 1509525451.838577: etypes requested in TGS request: aes256-cts > [6355] 1509525451.838619: Encoding request body and padata > into FAST request > [6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE > [6355] 1509525451.839682: Resolving hostname domdc8.example.de. > [6355] 1509525451.839691: Resolving hostname domdc6.example.de. > [6355] 1509525451.839694: Resolving hostname domdc7.example.de. > [6355] 1509525451.839697: Resolving hostname domdc5.example.de. > [6355] 1509525451.839699: Resolving hostname domdc8.example.de. > [6355] 1509525451.839711: Initiating TCP connection to stream > 172.26.40.8:88 > [6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88 > [6355] 1509525451.842021: Received answer (2706 bytes) from stream > 172.26.40.8:88 > [6355] 1509525451.842449: Response was not from master KDC > [6355] 1509525451.842459: Decoding FAST response > [6355] 1509525451.842515: FAST reply key: aes256-cts/4A19 > [6355] 1509525451.842535: TGS reply is for user1 at EXAMPLE.DE -> > krbtgt/EXAMPLE.DE at EXAMPLE.DE with session key aes256-cts/4A0D > [6355] 1509525451.842549: Got cred; 0/Success > [6355] 1509525451.842596: Creating authenticator for > user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, > seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72 > debug3: send packet: type 61 > debug3: receive packet: type 61 > debug1: Delegating credentials > [6355] 1509525451.848142: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.848152: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.848156: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.848166: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey > aes256-cts/5EEA, seqnum 91190375 > debug3: send packet: type 66 > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > [6355] 1509525451.849839: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.849848: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.849853: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.849864: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.849970: ccselect can't find appropriate cache for > server principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.849995: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.850020: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.850048: Creating authenticator for > user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, > seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72 > debug3: send packet: type 50 > debug2: we sent a gssapi-with-mic packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > [6355] 1509525451.850462: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.850467: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.850470: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.850476: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.850547: ccselect can't find appropriate cache for > server principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.850569: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.850591: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.850611: Creating authenticator for > user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, > seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72 > debug3: send packet: type 50 > debug2: we sent a gssapi-with-mic packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > [6355] 1509525451.851143: Convert service host (service with host as > instance) on host computer1.subdom2.subdom1.example.de to principal > [6355] 1509525451.851147: Remote host after forward canonicalization: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.851150: Remote host after reverse DNS processing: > computer1.subdom2.subdom1.example.de > [6355] 1509525451.851156: Got service principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.851226: ccselect can't find appropriate cache for > server principal > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > [6355] 1509525451.851284: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.851306: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.851336: Getting credentials user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > using ccache FILE:/tmp/krb5cc_103321 > [6355] 1509525451.851355: Retrieving user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE > from FILE:/tmp/krb5cc_103321 with result: 0/Success > [6355] 1509525451.851374: Creating authenticator for > user1 at EXAMPLE.DE -> > host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, > seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72 > debug3: send packet: type 50 > debug2: we sent a gssapi-with-mic packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /home/user1/.ssh/id_rsa > debug3: send_pubkey_test > debug3: send packet: type 50 > debug2: we sent a publickey packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive > debug1: Trying private key: /home/user1/.ssh/id_dsa > debug3: no such identity: /home/user1/.ssh/id_dsa: No such > file or directory > debug1: Trying private key: /home/user1/.ssh/id_ecdsa > debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or > directory > debug1: Trying private key: /home/user1/.ssh/id_ed25519 > debug3: no such identity: /home/user1/.ssh/id_ed25519: No > such file or > directory > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug3: send packet: type 50 > debug2: we sent a keyboard-interactive packet, wait for reply > debug3: receive packet: type 60 > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > > On the sshd-server side: > > debug2: load_server_config: filename /etc/ssh/sshd_config > debug2: load_server_config: done config len = 530 > debug2: parse_server_config: config /etc/ssh/sshd_config len 530 > debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile > .ssh/authorized_keys > debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no > debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes > debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes > debug3: /etc/ssh/sshd_config:104 setting UsePAM yes > debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes > debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no > debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp > /usr/lib/ssh/sftp-server > debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE > LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME > LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > debug3: /etc/ssh/sshd_config:139 setting AcceptEnv > LC_IDENTIFICATION LC_ALL > debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016 > debug1: private host key #0: ssh-rsa > SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM > debug1: private host key #1: ssh-dss > SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU > debug1: private host key #2: ecdsa-sha2-nistp256 > SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso > debug1: private host key #3: ssh-ed25519 > SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-ddd' > debug1: rexec_argv[2]='-p' > debug1: rexec_argv[3]='2233' > debug3: oom_adjust_setup > debug1: Set /proc/self/oom_score_adj from 0 to -1000 > debug2: fd 3 setting O_NONBLOCK > debug1: Bind to port 2233 on 0.0.0.0. > Server listening on 0.0.0.0 port 2233. > debug2: fd 4 setting O_NONBLOCK > debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY > debug1: Bind to port 2233 on ::. > Server listening on :: port 2233. > debug3: fd 5 is not O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug3: send_rexec_state: entering fd = 8 config len 530 > debug3: ssh_msg_send: type 0 > debug3: send_rexec_state: done > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug1: inetd sockets after dupping: 3, 3 > Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233 > debug1: Client protocol version 2.0; client software version > OpenSSH_7.2 > debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.2 > debug2: fd 3 setting O_NONBLOCK > debug1: list_hostkey_types: > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, > ssh-ed25519 > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local server KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist > p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > iffie-hellman-group14-sha1 > debug2: host key algorithms: > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, > ssh-ed25519 > debug2: ciphers ctos: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com > debug2: ciphers stoc: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com > debug2: MACs ctos: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib at openssh.com > debug2: compression stoc: none,zlib at openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug2: peer client KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist > p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, > ext-info-c > debug2: host key algorithms: > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c > ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,s > sh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,s > sh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nis > tp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-25 > 6,ssh-rsa,ssh-dss > debug2: ciphers ctos: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 > 92-cbc,aes256-cbc,3des-cbc > debug2: ciphers stoc: > chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr > ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 > 92-cbc,aes256-cbc,3des-cbc > debug2: MACs ctos: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: > umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 > -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o > penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- > 256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib at openssh.com > debug2: compression stoc: none,zlib at openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: curve25519-sha256 at libssh.org > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: client->server cipher: > chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none > debug1: kex: server->client cipher: > chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 > debug1: expecting SSH2_MSG_KEX_ECDH_INIT > debug3: receive packet: type 30 > debug3: send packet: type 31 > debug3: send packet: type 21 > debug2: set_newkeys: mode 1 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: send packet: type 7 > debug3: receive packet: type 21 > debug2: set_newkeys: mode 0 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug3: receive packet: type 5 > debug3: send packet: type 6 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method none > debug1: attempt 0 failures 0 > debug2: parse_server_config: config reprocess config len 530 > debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1 > debug1: PAM: initializing for "EXAMPLE+user1" > debug1: PAM: setting PAM_RHOST to "141.30.156.114" > debug1: PAM: setting PAM_TTY to "ssh" > debug2: input_userauth_request: try method none > Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method gssapi-with-mic > debug1: attempt 1 failures 0 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: send packet: type 60 > Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port > 45018 ssh2 > debug3: receive packet: type 61 > debug1: Received some client credentials > debug3: send packet: type 61 > debug3: receive packet: type 66 > Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method gssapi-with-mic > debug1: attempt 2 failures 1 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method gssapi-with-mic > debug1: attempt 3 failures 1 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method gssapi-with-mic > debug1: attempt 4 failures 1 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method publickey > debug1: attempt 5 failures 1 > debug2: input_userauth_request: try method publickey > debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for > RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8 > debug1: temporarily_use_uid: 103321/10513 (e=0/0) > debug1: trying public key file /home/user1/.ssh/authorized_keys > debug1: Could not open authorized keys > '/home/user1/.ssh/authorized_keys': No such file or directory > debug1: restore_uid: 0/0 > debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 > Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2 > debug3: userauth_finish: failure partial=0 next > methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" > debug3: send packet: type 51 > debug3: receive packet: type 50 > debug1: userauth-request for user EXAMPLE+user1 service > ssh-connection > method keyboard-interactive > debug1: attempt 6 failures 2 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=EXAMPLE+user1 devs> debug1: kbdint_alloc: devices 'pam' > debug2: auth2_challenge_start: devices pam > debug2: kbdint_next_device: devices <empty> > debug1: auth2_challenge_start: trying authentication method 'pam' > debug3: PAM: sshpam_init_ctx entering > debug3: PAM: sshpam_query entering > debug3: ssh_msg_recv entering > debug3: PAM: sshpam_thread_conv entering, 1 messages > debug3: ssh_msg_send: type 1 > debug3: ssh_msg_recv entering > debug3: send packet: type 60 > Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 > port 45018 ssh2 > > > smb.conf: > > [global] > > netbios name = computer1 > security = ADS > workgroup = SUBDOM2 > realm = SUBDOM2.SUBDOM1.EXAMPLE.DE > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > template homedir = /home/%U > template shell = /bin/bash > > winbind separator = + > > idmap config * : backend = tdb > idmap config * : range = 2000-2999 > idmap config SUBDOM2 : backend = rid > idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW > idmap config EXAMPLE : backend = rid > idmap config EXAMPLE : range = 10000-9999999 # UID aus > RID fuer DOM > > > krb5.conf: > > [libdefaults] > default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > EXAMPLE.DE = { > auth_to_local = RULE:[1:EXAMPLE+$1] > } > SUBDOM1.EXAMPLE.DE = { > auth_to_local = RULE:[1:SUBDOM1+$1] > } > SUBDOM2.SUBDOM1.EXAMPLE.DE = { > auth_to_local = RULE:[1:SUBDOM2+$1] > } > > [domain_realm] > .subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE > subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE > .subdom1.example.de = SUBDOM1.EXAMPLE.DE > subdom1.example.de = SUBDOM1.EXAMPLE.DE > .example.de = EXAMPLE.DE > example.de = EXAMPLE.DE > > [capaths] > SUBDOM2.SUBDOM1.EXAMPLE.DE = { > SUBDOM1.EXAMPLE.DE = . > EXAMPLE.DE = SUBDOM1.EXAMPLE.DE > } > SUBDOM1.EXAMPLE.DE = { > SUBDOM2.SUBDOM1.EXAMPLE.DE = . > EXAMPLE.DE = . > } > EXAMPLE.DE = { > SUBDOM1.EXAMPLE.DE = . > SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE > } > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:DEBUG:DAEMON > > sshd_config: > > AuthorizedKeysFile .ssh/authorized_keys > PasswordAuthentication no > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM yes > X11Forwarding yes > Subsystem sftp /usr/lib/ssh/sftp-server > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL > > -- > Regards, > Andreas > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, thanks for your hints. DNS, /etc/resolf.conf, /ets/hosts seem to be correct. I'm able to do a kerberized ssh with a user from subdom2.subdom1.example.de (testuser at SUBDOM2.SUBDOM1.EXAMPLE.DE) But I'm not able to do the same with a user from example.de (user1 at EXAMPLE.DE). -- Regards, Andreas Am 01.11.2017 um 10:51 schrieb L.P.H. van Belle via samba:> I can suggest a few things. > > krb5.conf ( if you use nfsv4 with kerberized mounts _ > [libdefaults] > ignore_k5login = true in > > But, it does not look like it in you logs your useing kerberized mounts. > > > Im missing in SSHD_config : > UseDNS yes > > And the defaults : > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > Are sufficient for a normal ssh kerberized login. > > Optional, depending on the use of your server, and if you SSH supports it. > ( use man sshd_config to look the up ) > GSSAPIStrictAcceptorCheck yes > GSSAPIKeyExchange yes > GSSAPIStoreCredentialsOnRekey yes > > I assume, that, server and client do have A and PTR records AND both servers have nfs/FQDN at REALM in the keytab. > > Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 > That looks to me the UseDNS yes, may solve it if its keytab/resolving related. > If not, then i would try first to change the winbind separator > winbind separator = + to \ ( and correct krb5.conf also ) > > I cant recall where i did read that, but that may solv it also. > > If these did not fix it, post the following please. > You OS and samba version. > cat /etc/resolv.conf > cat /etc/hosts > dig -x server_ip > dig -x client_ip > > What i do on debian, is the following. > Setup samba ( my configs, see my github howtos (github.com/thctlo/samba4 ) > apt-get install ssh-krb5 > pam-auth-update > > And i can use sso logins. > > So try above, and report back. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Andreas Hauffe via samba >> Verzonden: woensdag 1 november 2017 9:59 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Winbind, Kerberos, SSH and Single Sign On >> >> Hi, >> >> at first I'm not sure if this is the correct list to ask this >> question. >> But since I'm using winbind I hope you can help me. >> >> I try to realize a kerberized ssh from one client to another. Both >> clients are member of subdom2.subdom1.example.de and joined >> to it. The >> users are from example.de, where subdom1.example.de is a subdomain >> (bidirectional trust) of example.de and >> subdom2.subdom1.example.de is a >> subdomain (bidirectional trust) of subdom1.example.de. >> >> When I try to ssh to a client I'm getting the service ticket for the >> client. But it still prompts the password question. >> >> On the ssh-client side I'm getting the following SSH debug >> information: >> >> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1 >> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips 26 Sep 2016 >> debug1: Reading configuration data /home/user1/.ssh/config >> debug1: /home/user1/.ssh/config line 17: Applying options for * >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 25: Applying options for * >> debug2: resolving "computer1" port 22 >> debug2: ssh_connect_direct: needpriv 0 >> debug1: Connecting to computer1 [141.30.156.36] port 22. >> debug1: Connection established. >> debug1: identity file /home/user1/.ssh/id_rsa type 1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_rsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_dsa type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_dsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_ecdsa type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_ed25519 type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_7.2 >> debug1: Remote protocol version 2.0, remote software version >> OpenSSH_7.2 >> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 >> debug2: fd 3 setting O_NONBLOCK >> debug1: Authenticating to computer1:22 as 'EXAMPLE+user1' >> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" >> debug3: record_hostkey: found key type ECDSA in file >> /home/user1/.ssh/known_hosts:60 >> debug3: load_hostkeys: loaded 1 keys from computer1 >> debug3: order_hostkeyalgs: prefer hostkeyalgs: >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c >> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e >> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 >> debug3: send packet: type 20 >> debug1: SSH2_MSG_KEXINIT sent >> debug3: receive packet: type 20 >> debug1: SSH2_MSG_KEXINIT received >> debug2: local client KEXINIT proposal >> debug2: KEX algorithms: >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist >> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d >> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, >> ext-info-c >> debug2: host key algorithms: >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c >> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,e >> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh >> -ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh >> -dss-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-25 >> 6,ssh-rsa,ssh-dss >> debug2: ciphers ctos: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 >> 92-cbc,aes256-cbc,3des-cbc >> debug2: ciphers stoc: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 >> 92-cbc,aes256-cbc,3des-cbc >> debug2: MACs ctos: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: MACs stoc: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: compression ctos: none,zlib at openssh.com >> debug2: compression stoc: none,zlib at openssh.com >> debug2: languages ctos: >> debug2: languages stoc: >> debug2: first_kex_follows 0 >> debug2: reserved 0 >> debug2: peer server KEXINIT proposal >> debug2: KEX algorithms: >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist >> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d >> iffie-hellman-group14-sha1 >> debug2: host key algorithms: >> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, >> ssh-ed25519 >> debug2: ciphers ctos: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com >> debug2: ciphers stoc: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com >> debug2: MACs ctos: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: MACs stoc: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: compression ctos: none,zlib at openssh.com >> debug2: compression stoc: none,zlib at openssh.com >> debug2: languages ctos: >> debug2: languages stoc: >> debug2: first_kex_follows 0 >> debug2: reserved 0 >> debug1: kex: algorithm: curve25519-sha256 at libssh.org >> debug1: kex: host key algorithm: ecdsa-sha2-nistp256 >> debug1: kex: server->client cipher: >> chacha20-poly1305 at openssh.com MAC: >> <implicit> compression: none >> debug1: kex: client->server cipher: >> chacha20-poly1305 at openssh.com MAC: >> <implicit> compression: none >> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 >> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 >> debug3: send packet: type 30 >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >> debug3: receive packet: type 31 >> debug1: Server host key: ecdsa-sha2-nistp256 >> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso >> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" >> debug3: record_hostkey: found key type ECDSA in file >> /home/user1/.ssh/known_hosts:60 >> debug3: load_hostkeys: loaded 1 keys from computer1 >> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts" >> debug3: record_hostkey: found key type ECDSA in file >> /home/user1/.ssh/known_hosts:59 >> debug3: load_hostkeys: loaded 1 keys from 141.30.156.36 >> debug1: Host 'computer1' is known and matches the ECDSA host key. >> debug1: Found key in /home/user1/.ssh/known_hosts:60 >> debug3: send packet: type 21 >> debug2: set_newkeys: mode 1 >> debug1: rekey after 134217728 blocks >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug3: receive packet: type 21 >> debug2: set_newkeys: mode 0 >> debug1: rekey after 134217728 blocks >> debug1: SSH2_MSG_NEWKEYS received >> debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent >> debug2: key: /home/user1/.ssh/id_dsa ((nil)) >> debug2: key: /home/user1/.ssh/id_ecdsa ((nil)) >> debug2: key: /home/user1/.ssh/id_ed25519 ((nil)) >> debug3: send packet: type 5 >> debug3: receive packet: type 7 >> debug1: SSH2_MSG_EXT_INFO received >> debug1: kex_input_ext_info: >> server-sig-algs=<rsa-sha2-256,rsa-sha2-512> >> debug3: receive packet: type 6 >> debug2: service_accept: ssh-userauth >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug3: send packet: type 50 >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> debug3: start over, passed a different list >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> debug3: preferred >> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >> debug3: authmethod_lookup gssapi-keyex >> debug3: remaining preferred: >> gssapi-with-mic,publickey,keyboard-interactive,password >> debug3: authmethod_is_enabled gssapi-keyex >> debug1: Next authentication method: gssapi-keyex >> debug1: No valid Key exchange context >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup gssapi-with-mic >> debug3: remaining preferred: publickey,keyboard-interactive,password >> debug3: authmethod_is_enabled gssapi-with-mic >> debug1: Next authentication method: gssapi-with-mic >> debug3: Trying to reverse map address 141.30.156.36. >> [6355] 1509525451.837186: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.837196: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.837202: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.837219: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.837375: ccselect can't find appropriate cache for >> server principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.837411: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.837451: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.837493: Creating authenticator for >> user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, >> seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72 >> debug3: send packet: type 50 >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug3: receive packet: type 60 >> debug1: Delegating credentials >> [6355] 1509525451.838235: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.838244: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.838248: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.838269: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.838406: ccselect can't find appropriate cache for >> server principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.838431: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.838457: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.838506: Retrieving user1 at EXAMPLE.DE -> >> krbtgt/EXAMPLE.DE at EXAMPLE.DE from FILE:/tmp/krb5cc_103321 >> with result: >> 0/Success >> [6355] 1509525451.838542: Get cred via TGT >> krbtgt/EXAMPLE.DE at EXAMPLE.DE >> after requesting krbtgt/EXAMPLE.DE at EXAMPLE.DE (canonicalize off) >> [6355] 1509525451.838552: Generated subkey for TGS request: >> aes256-cts/6A11 >> [6355] 1509525451.838577: etypes requested in TGS request: aes256-cts >> [6355] 1509525451.838619: Encoding request body and padata >> into FAST request >> [6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE >> [6355] 1509525451.839682: Resolving hostname domdc8.example.de. >> [6355] 1509525451.839691: Resolving hostname domdc6.example.de. >> [6355] 1509525451.839694: Resolving hostname domdc7.example.de. >> [6355] 1509525451.839697: Resolving hostname domdc5.example.de. >> [6355] 1509525451.839699: Resolving hostname domdc8.example.de. >> [6355] 1509525451.839711: Initiating TCP connection to stream >> 172.26.40.8:88 >> [6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88 >> [6355] 1509525451.842021: Received answer (2706 bytes) from stream >> 172.26.40.8:88 >> [6355] 1509525451.842449: Response was not from master KDC >> [6355] 1509525451.842459: Decoding FAST response >> [6355] 1509525451.842515: FAST reply key: aes256-cts/4A19 >> [6355] 1509525451.842535: TGS reply is for user1 at EXAMPLE.DE -> >> krbtgt/EXAMPLE.DE at EXAMPLE.DE with session key aes256-cts/4A0D >> [6355] 1509525451.842549: Got cred; 0/Success >> [6355] 1509525451.842596: Creating authenticator for >> user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, >> seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72 >> debug3: send packet: type 61 >> debug3: receive packet: type 61 >> debug1: Delegating credentials >> [6355] 1509525451.848142: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.848152: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.848156: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.848166: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey >> aes256-cts/5EEA, seqnum 91190375 >> debug3: send packet: type 66 >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> [6355] 1509525451.849839: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.849848: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.849853: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.849864: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.849970: ccselect can't find appropriate cache for >> server principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.849995: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.850020: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.850048: Creating authenticator for >> user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, >> seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72 >> debug3: send packet: type 50 >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> [6355] 1509525451.850462: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.850467: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.850470: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.850476: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.850547: ccselect can't find appropriate cache for >> server principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.850569: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.850591: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.850611: Creating authenticator for >> user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, >> seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72 >> debug3: send packet: type 50 >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> [6355] 1509525451.851143: Convert service host (service with host as >> instance) on host computer1.subdom2.subdom1.example.de to principal >> [6355] 1509525451.851147: Remote host after forward canonicalization: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.851150: Remote host after reverse DNS processing: >> computer1.subdom2.subdom1.example.de >> [6355] 1509525451.851156: Got service principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.851226: ccselect can't find appropriate cache for >> server principal >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> [6355] 1509525451.851284: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.851306: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.851336: Getting credentials user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> using ccache FILE:/tmp/krb5cc_103321 >> [6355] 1509525451.851355: Retrieving user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE >> from FILE:/tmp/krb5cc_103321 with result: 0/Success >> [6355] 1509525451.851374: Creating authenticator for >> user1 at EXAMPLE.DE -> >> host/computer1.subdom2.subdom1.example.de at SUBDOM2.SUBDOM1.EXAMPLE.DE, >> seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72 >> debug3: send packet: type 50 >> debug2: we sent a gssapi-with-mic packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup publickey >> debug3: remaining preferred: keyboard-interactive,password >> debug3: authmethod_is_enabled publickey >> debug1: Next authentication method: publickey >> debug1: Offering RSA public key: /home/user1/.ssh/id_rsa >> debug3: send_pubkey_test >> debug3: send packet: type 50 >> debug2: we sent a publickey packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive >> debug1: Trying private key: /home/user1/.ssh/id_dsa >> debug3: no such identity: /home/user1/.ssh/id_dsa: No such >> file or directory >> debug1: Trying private key: /home/user1/.ssh/id_ecdsa >> debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or >> directory >> debug1: Trying private key: /home/user1/.ssh/id_ed25519 >> debug3: no such identity: /home/user1/.ssh/id_ed25519: No >> such file or >> directory >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup keyboard-interactive >> debug3: remaining preferred: password >> debug3: authmethod_is_enabled keyboard-interactive >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug3: send packet: type 50 >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug3: receive packet: type 60 >> debug2: input_userauth_info_req >> debug2: input_userauth_info_req: num_prompts 1 >> Password: >> >> On the sshd-server side: >> >> debug2: load_server_config: filename /etc/ssh/sshd_config >> debug2: load_server_config: done config len = 530 >> debug2: parse_server_config: config /etc/ssh/sshd_config len 530 >> debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile >> .ssh/authorized_keys >> debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no >> debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes >> debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes >> debug3: /etc/ssh/sshd_config:104 setting UsePAM yes >> debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes >> debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no >> debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp >> /usr/lib/ssh/sftp-server >> debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE >> LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES >> debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME >> LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT >> debug3: /etc/ssh/sshd_config:139 setting AcceptEnv >> LC_IDENTIFICATION LC_ALL >> debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips 26 Sep 2016 >> debug1: private host key #0: ssh-rsa >> SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM >> debug1: private host key #1: ssh-dss >> SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU >> debug1: private host key #2: ecdsa-sha2-nistp256 >> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso >> debug1: private host key #3: ssh-ed25519 >> SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc >> debug1: rexec_argv[0]='/usr/sbin/sshd' >> debug1: rexec_argv[1]='-ddd' >> debug1: rexec_argv[2]='-p' >> debug1: rexec_argv[3]='2233' >> debug3: oom_adjust_setup >> debug1: Set /proc/self/oom_score_adj from 0 to -1000 >> debug2: fd 3 setting O_NONBLOCK >> debug1: Bind to port 2233 on 0.0.0.0. >> Server listening on 0.0.0.0 port 2233. >> debug2: fd 4 setting O_NONBLOCK >> debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY >> debug1: Bind to port 2233 on ::. >> Server listening on :: port 2233. >> debug3: fd 5 is not O_NONBLOCK >> debug1: Server will not fork when running in debugging mode. >> debug3: send_rexec_state: entering fd = 8 config len 530 >> debug3: ssh_msg_send: type 0 >> debug3: send_rexec_state: done >> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 >> debug1: inetd sockets after dupping: 3, 3 >> Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233 >> debug1: Client protocol version 2.0; client software version >> OpenSSH_7.2 >> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_7.2 >> debug2: fd 3 setting O_NONBLOCK >> debug1: list_hostkey_types: >> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, >> ssh-ed25519 >> debug3: send packet: type 20 >> debug1: SSH2_MSG_KEXINIT sent >> debug3: receive packet: type 20 >> debug1: SSH2_MSG_KEXINIT received >> debug2: local server KEXINIT proposal >> debug2: KEX algorithms: >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist >> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d >> iffie-hellman-group14-sha1 >> debug2: host key algorithms: >> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256, >> ssh-ed25519 >> debug2: ciphers ctos: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com >> debug2: ciphers stoc: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com >> debug2: MACs ctos: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: MACs stoc: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: compression ctos: none,zlib at openssh.com >> debug2: compression stoc: none,zlib at openssh.com >> debug2: languages ctos: >> debug2: languages stoc: >> debug2: first_kex_follows 0 >> debug2: reserved 0 >> debug2: peer client KEXINIT proposal >> debug2: KEX algorithms: >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nist >> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d >> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, >> ext-info-c >> debug2: host key algorithms: >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-c >> ert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,s >> sh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,s >> sh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nis >> tp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-25 >> 6,ssh-rsa,ssh-dss >> debug2: ciphers ctos: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 >> 92-cbc,aes256-cbc,3des-cbc >> debug2: ciphers stoc: >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr >> ,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes1 >> 92-cbc,aes256-cbc,3des-cbc >> debug2: MACs ctos: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: MACs stoc: >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256 >> -etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at o >> penssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2- >> 256,hmac-sha2-512,hmac-sha1 >> debug2: compression ctos: none,zlib at openssh.com >> debug2: compression stoc: none,zlib at openssh.com >> debug2: languages ctos: >> debug2: languages stoc: >> debug2: first_kex_follows 0 >> debug2: reserved 0 >> debug1: kex: algorithm: curve25519-sha256 at libssh.org >> debug1: kex: host key algorithm: ecdsa-sha2-nistp256 >> debug1: kex: client->server cipher: >> chacha20-poly1305 at openssh.com MAC: >> <implicit> compression: none >> debug1: kex: server->client cipher: >> chacha20-poly1305 at openssh.com MAC: >> <implicit> compression: none >> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 >> debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 >> debug1: expecting SSH2_MSG_KEX_ECDH_INIT >> debug3: receive packet: type 30 >> debug3: send packet: type 31 >> debug3: send packet: type 21 >> debug2: set_newkeys: mode 1 >> debug1: rekey after 134217728 blocks >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug3: send packet: type 7 >> debug3: receive packet: type 21 >> debug2: set_newkeys: mode 0 >> debug1: rekey after 134217728 blocks >> debug1: SSH2_MSG_NEWKEYS received >> debug1: KEX done >> debug3: receive packet: type 5 >> debug3: send packet: type 6 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method none >> debug1: attempt 0 failures 0 >> debug2: parse_server_config: config reprocess config len 530 >> debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1 >> debug1: PAM: initializing for "EXAMPLE+user1" >> debug1: PAM: setting PAM_RHOST to "141.30.156.114" >> debug1: PAM: setting PAM_TTY to "ssh" >> debug2: input_userauth_request: try method none >> Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method gssapi-with-mic >> debug1: attempt 1 failures 0 >> debug2: input_userauth_request: try method gssapi-with-mic >> debug3: send packet: type 60 >> Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port >> 45018 ssh2 >> debug3: receive packet: type 61 >> debug1: Received some client credentials >> debug3: send packet: type 61 >> debug3: receive packet: type 66 >> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 >> port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method gssapi-with-mic >> debug1: attempt 2 failures 1 >> debug2: input_userauth_request: try method gssapi-with-mic >> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 >> port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method gssapi-with-mic >> debug1: attempt 3 failures 1 >> debug2: input_userauth_request: try method gssapi-with-mic >> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 >> port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method gssapi-with-mic >> debug1: attempt 4 failures 1 >> debug2: input_userauth_request: try method gssapi-with-mic >> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 >> port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method publickey >> debug1: attempt 5 failures 1 >> debug2: input_userauth_request: try method publickey >> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for >> RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8 >> debug1: temporarily_use_uid: 103321/10513 (e=0/0) >> debug1: trying public key file /home/user1/.ssh/authorized_keys >> debug1: Could not open authorized keys >> '/home/user1/.ssh/authorized_keys': No such file or directory >> debug1: restore_uid: 0/0 >> debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 >> Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2 >> debug3: userauth_finish: failure partial=0 next >> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive" >> debug3: send packet: type 51 >> debug3: receive packet: type 50 >> debug1: userauth-request for user EXAMPLE+user1 service >> ssh-connection >> method keyboard-interactive >> debug1: attempt 6 failures 2 >> debug2: input_userauth_request: try method keyboard-interactive >> debug1: keyboard-interactive devs >> debug1: auth2_challenge: user=EXAMPLE+user1 devs>> debug1: kbdint_alloc: devices 'pam' >> debug2: auth2_challenge_start: devices pam >> debug2: kbdint_next_device: devices <empty> >> debug1: auth2_challenge_start: trying authentication method 'pam' >> debug3: PAM: sshpam_init_ctx entering >> debug3: PAM: sshpam_query entering >> debug3: ssh_msg_recv entering >> debug3: PAM: sshpam_thread_conv entering, 1 messages >> debug3: ssh_msg_send: type 1 >> debug3: ssh_msg_recv entering >> debug3: send packet: type 60 >> Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 >> port 45018 ssh2 >> >> >> smb.conf: >> >> [global] >> >> netbios name = computer1 >> security = ADS >> workgroup = SUBDOM2 >> realm = SUBDOM2.SUBDOM1.EXAMPLE.DE >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> template homedir = /home/%U >> template shell = /bin/bash >> >> winbind separator = + >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-2999 >> idmap config SUBDOM2 : backend = rid >> idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW >> idmap config EXAMPLE : backend = rid >> idmap config EXAMPLE : range = 10000-9999999 # UID aus >> RID fuer DOM >> >> >> krb5.conf: >> >> [libdefaults] >> default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> renew_lifetime = 7d >> forwardable = true >> >> [realms] >> EXAMPLE.DE = { >> auth_to_local = RULE:[1:EXAMPLE+$1] >> } >> SUBDOM1.EXAMPLE.DE = { >> auth_to_local = RULE:[1:SUBDOM1+$1] >> } >> SUBDOM2.SUBDOM1.EXAMPLE.DE = { >> auth_to_local = RULE:[1:SUBDOM2+$1] >> } >> >> [domain_realm] >> .subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE >> subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE >> .subdom1.example.de = SUBDOM1.EXAMPLE.DE >> subdom1.example.de = SUBDOM1.EXAMPLE.DE >> .example.de = EXAMPLE.DE >> example.de = EXAMPLE.DE >> >> [capaths] >> SUBDOM2.SUBDOM1.EXAMPLE.DE = { >> SUBDOM1.EXAMPLE.DE = . >> EXAMPLE.DE = SUBDOM1.EXAMPLE.DE >> } >> SUBDOM1.EXAMPLE.DE = { >> SUBDOM2.SUBDOM1.EXAMPLE.DE = . >> EXAMPLE.DE = . >> } >> EXAMPLE.DE = { >> SUBDOM1.EXAMPLE.DE = . >> SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE >> } >> >> [logging] >> kdc = FILE:/var/log/krb5/krb5kdc.log >> admin_server = FILE:/var/log/krb5/kadmind.log >> default = SYSLOG:DEBUG:DAEMON >> >> sshd_config: >> >> AuthorizedKeysFile .ssh/authorized_keys >> PasswordAuthentication no >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> UsePAM yes >> X11Forwarding yes >> Subsystem sftp /usr/lib/ssh/sftp-server >> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY >> LC_MESSAGES >> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT >> AcceptEnv LC_IDENTIFICATION LC_ALL >> >> -- >> Regards, >> Andreas >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>