does SAMBA4 support Kerberos S4U tokens? Background: I am trying to get OpenSSH for windows to work on machines joined to our SAMBA4 domain We are running Samba 4.7.3-Debian on Debian 9 When attempting to SSH in to a windows client using public key credentials for a domain user it fails. When attempting to SSH into a windows client using public key credentials for a local user it works just fine I have been working with the OpenSSH team trying to figure out why this isn't working, see github issue below https://github.com/PowerShell/Win32-OpenSSH/issues/1177#issuecomment-394789906 Thanks in advance for any assistance you can provide. :) Taylor -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
Hi Taylor That's not hard to explain: The login to a local account is under the control of sshd, and if that has enough privileges it works. The login to a domain account is a kerberos login which requires either Username and Password, or possibly PKINIT with a certificate. None of them can work with just a public key. Norbert On 11.06.2018 15:56, Taylor Hammerling via samba wrote:> does SAMBA4 support Kerberos S4U tokens? > > Background: > I am trying to get OpenSSH for windows to work on machines joined to our > SAMBA4 domain > We are running Samba 4.7.3-Debian on Debian 9 > > When attempting to SSH in to a windows client using public key credentials > for a domain user it fails. When attempting to SSH into a windows client > using public key credentials for a local user it works just fine > > I have been working with the OpenSSH team trying to figure out why this > isn't working, see github issue below > > https://github.com/PowerShell/Win32-OpenSSH/issues/1177#issuecomment-394789906 > > Thanks in advance for any assistance you can provide. :) > > Taylor >
On Tue, 12 Jun 2018 08:28:10 +0200 Norbert Hanke via samba <samba at lists.samba.org> wrote:> Hi Taylor > > That's not hard to explain: > > The login to a local account is under the control of sshd, and if > that has enough privileges it works. > > The login to a domain account is a kerberos login which requires > either Username and Password, or possibly PKINIT with a certificate. > None of them can work with just a public key. > > Norbert > > > On 11.06.2018 15:56, Taylor Hammerling via samba wrote: > > does SAMBA4 support Kerberos S4U tokens? > > > > Background: > > I am trying to get OpenSSH for windows to work on machines joined > > to our SAMBA4 domain > > We are running Samba 4.7.3-Debian on Debian 9 > > > > When attempting to SSH in to a windows client using public key > > credentials for a domain user it fails. When attempting to SSH > > into a windows client using public key credentials for a local user > > it works just fine > > > > I have been working with the OpenSSH team trying to figure out why > > this isn't working, see github issue below > > > > https://github.com/PowerShell/Win32-OpenSSH/issues/1177#issuecomment-394789906 > > > > Thanks in advance for any assistance you can provide. :) > > > > Taylor > > > >Go on, I give in, how did you get a windows user called 'root' ??? As in: C:\\Users\\root\\.ssh/authorized_keys:1: matching key found: RSA SHA256:ajJEDL02MZx9advPCbyw8CHcGFdmF4sKnOojxo1/lFI Have you tried with an actual domain user ? i.e. not one called 'root' (By the way, 'root' SHOULDN'T exist in AD) Rowland