Hello Rowland, Louis,
thanks for your support!
I do have ssh_config as suggested, except for PasswordAuthentication no - I
don?t want to lock out myself for now, and the debug output doesn?t suggest that
is the culprit.
You didn?t include an sshd_config unless it is supposed to be empty.
Nevertheless got it to work. Actually krb5.conf was the culprit on that DC. I
now can login locally and from a Windows client. Not yet sure it was just the
recommended mapping or some other garbage in it.
Then I tried to reproduce the same on another DC, as I went through some more
debugging before, and got it to work after:
Modifications to /etc/samba/smb.conf and /etc/security/pam_winbind.conf as in
https://wiki.samba.org/index.php/OpenSSH_Single_sign-on
Modifications to /etc/nsswitch.conf as
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
Modifications due to
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM.
Afai can tell, the ln -s /var/lib/samba/private/secrets.keytab krb5.keytab is
required, but don?t know why.
Not all of them might be relevant though. One finding suggested by you I can
confirm: one cannot login from a DC to another DC even though one can login
locally on a DC using SSH - looking forward to get to know why that doesn?t
work.
I didn?t yet try on a domain member, need to install one first (actually install
finished, conf and test not yet done).
Thanks, Joachim
-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny
via samba
Gesendet: Monday, 25 October 2021 10:50
An: samba at lists.samba.org
Betreff: Re: [Samba] OpenSSH with Kerberos?
On Mon, 2021-10-25 at 08:47 +0200, L.P.H. van Belle via samba
wrote:> Good Morning Rowland.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> > Penny via samba
> > Verzonden: vrijdag 22 oktober 2021 21:24
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] OpenSSH with Kerberos?
> >
> > On Fri, 2021-10-22 at 19:01 +0200, Joachim Lindenberg via samba
> > wrote:
> > > Hello,
> > >
> > > I am trying to get OpenSSH to work with Kerberos, but am failing.
> > > I
> > > followed
> > https://wiki.samba.org/index.php/OpenSSH_Single_sign-on, but
> > > I still need to provide a password (the AD password does work!)
> > > instead of achieving single-sign-on. I did follow the recommended
> > > auth_to_local mapping.
> > >
> >
> > I cannot ssh with kerberos from a Samba AD DC, but I can ssh with
> > kerberos to a Samba AD DC.
>
> On you last line you wrote Rowland..
> You cant login from an samba AD-DC to other samba AD-DC?
> Works fine here, you tried with the defaults configs from debian.
> And only enable-ing the GSSAPI part in sshd_config?
>
> That should work.
>
Should and does are different things :-)
With the configs I posted earlier, I can log into a Unix domain member from a
Samba AD DC, but not visa-versa. I 'think' it must have something to do
with the DC expecting 'DOMAIN\username' and the Unix domain member
sending 'username'. I will investigate this as soon as possible.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba