Hello Rowland,
thanks for giving it a try, but didn?t help so far.
Following
https://www.ibm.com/support/pages/debugging-sshd-without-impacting-existing-sshd-sessions
I fired up a debug server and got
debug1: Unspecified GSS failure. Minor code may provide more information
Key table file '/etc/krb5.keytab' not found
Ok. Searched for that one: https://groups.google.com/g/linux.samba/c/_fpcVC-WBAM
and tried
samba-tool domain exportkeytab temp.keytab
klist -k temp.keytab | grep boa
output:
1 dns-boa at SAMBA.LINDENBERG.ONE
1 dns-boa at SAMBA.LINDENBERG.ONE
1 dns-boa at SAMBA.LINDENBERG.ONE
Actually I also tried just using the export, but then got
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/boa.samba.lindenberg.one@
I also tried a ln -s /var/lib/samba/private/secrets.keytab krb5.keytab
But klist -k krb5.keytab results in:
Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
2 HOST/boa at SAMBA.LINDENBERG.ONE
2 HOST/boa.samba.lindenberg.one at SAMBA.LINDENBERG.ONE
2 BOA$@SAMBA.LINDENBERG.ONE
In other words it looks like sshd and Samba don?t agree on how to name the
system principal to be used to identify the ssh server.
boa.samba.lindenberg.one is one of my DCs.
If I set /etc/ssh/sshd_config
GSSAPIStrictAcceptorCheck no # not happy about this
Then this message disappears and I get to:
Failed gssapi-keyex for Joachim2 from 192.168.177.18 port 58234 ssh2
debug1: audit_event: unhandled event 13
debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]
...
But afaik that doesn?t really imply GSSAPIStrictAcceptorCheck does the trick and
I have to search for something else.
I also discovered https://narkive.com/M5kraUiz.7 but ktpass is not available on
Ubuntu and the translation to ktutil is not obvious to me.
Any further hint?
Thanks, Joachim
-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny
via samba
Gesendet: Friday, 22 October 2021 21:24
An: samba at lists.samba.org
Betreff: Re: [Samba] OpenSSH with Kerberos?
On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba
wrote:> Hello,
>
> I am trying to get OpenSSH to work with Kerberos, but am failing. I
> followed https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> I still need to provide a password (the AD password does work!)
> instead of achieving single-sign-on. I did follow the recommended
> auth_to_local mapping.
>
I cannot ssh with kerberos from a Samba AD DC, but I can ssh with kerberos to a
Samba AD DC.
The ssh client (devstation) has this in /etc/ssh/ssh_config
Host *
PasswordAuthentication no
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIRenewalForcesRekey yes
GSSAPITrustDns yes
Host *.samdom.example.com
# It's best to limit this option to only trusted hosts:
GSSAPIDelegateCredentials yes
The ssh server (rpidc2) has this in /etc/ssh/sshd_config
There is just this in /etc/krb5.conf
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
This all leads to this:
rowland at devstation:~$ ssh -K rpidc2.samdom.example.com Linux rpidc2
5.10.52-v7l+ #1440 SMP Tue Jul 27 09:55:21 BST 2021 armv7l
The programs included with the Debian GNU/Linux system are free software; the
exact distribution terms for each program are described in the individual files
in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Oct 22 19:35:10 2021 from 192.168.0.49 SAMDOM\rowland at
rpidc2:~$
Hope this helps.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba