On 4 Sep., 20:26, "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: > Michael B Allen <[EMAIL PROTECTED]> wrote: > > > > > On 9/4/07, Roman S <[EMAIL PROTECTED]> wrote: > >> I've configured a Microsoft Active Directory with LDAP and Kerberos, > >> and some Linux (Redhat) clients who authenticate to it. > >> I'm able to get some tickets for the users who are in the Active > >> Directory, but SSH behaves a bit strange. > > >> I can always ssh to the same machine again. > >> Like > >> #foo: ssh foo > > >> but I can't ssh to any other computers. I always get a Permission > >> denied. > >> I've only enabled gssapi authentication, all others are disabled. > >> Debug output of ssh didn't get me any further. > > > Hi Roman, > > > Did you create the host principal and keytab for the target server? > > I suspect yes or the inital credential forwarding would not work either. > > > Also, you'll need a .k5login file in the home directory of the target: > > > $ cat ~/.k5login > > [EMAIL PROTECTED] > > You do not NEED a .k5login file. It may be useful in certain > environments, but it is not required. > > > Google for info about the above and you should find a tutorial I > > would think. > > You probably need to: > 1) ensure that forwardable tickets are being obtained (I suspect this is > already the case) > 2) set GSSAPIDelegateCredentials yes for ssh and/or sshd > > <<CDC
First of all thanks for your ideas! So to go to all questions and sugestions: Yes I've got the principals and keytab files. They were created in the active directory, and then shared to the linux clients over some samba stuff. I don't have the .k5login files, because the users from LDAP don't have homedirectories (because the working usermanagement is running over NIS, LDAP is just a test setup). The Tickets are forwardable, although I think this isn't important if I'm just logging in from one machine to another. GSSAPIDelegateCredentials is activated. The strange thing I don't understand is, that I get a valid hostticket for the remote computer, even though I get a permission denied. The debug output from the ssh server tells me: debug1: Unspecified GSS failure. Minor code may provide more information Wrong principal in request debug1: Got no client credentials I've been searching for some hints on that for quite a while, and I found two possible failures: 1. this is a ssh related bug 2. I've got bad keytab files Hope you can help me out with that! Greets Roman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
