On Mon, 2021-10-25 at 08:47 +0200, L.P.H. van Belle via samba
wrote:> Good Morning Rowland.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: vrijdag 22 oktober 2021 21:24
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] OpenSSH with Kerberos?
> >
> > On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba
> > wrote:
> > > Hello,
> > >
> > > I am trying to get OpenSSH to work with Kerberos, but am failing.
> > > I
> > > followed
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> > > I still need to provide a password (the AD password does work!)
> > > instead of achieving single-sign-on. I did follow the recommended
> > > auth_to_local mapping.
> > >
> >
> > I cannot ssh with kerberos from a Samba AD DC, but I can ssh with
> > kerberos to a Samba AD DC.
>
> On you last line you wrote Rowland..
> You cant login from an samba AD-DC to other samba AD-DC?
> Works fine here, you tried with the defaults configs from debian.
> And only enable-ing the GSSAPI part in sshd_config?
>
> That should work.
>
Should and does are different things :-)
With the configs I posted earlier, I can log into a Unix domain member
from a Samba AD DC, but not visa-versa. I 'think' it must have
something to do with the DC expecting 'DOMAIN\username' and the Unix
domain member sending 'username'. I will investigate this as soon as
possible.
Rowland