Roman - the following may help.
On 05/09/2007, at 4:45 PM, [EMAIL PROTECTED] wrote:
On 4 Sep., 20:26, "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote:
Michael B Allen <[EMAIL PROTECTED]> wrote:
On 9/4/07, Roman S <[EMAIL PROTECTED]> wrote:
I've configured a Microsoft Active Directory with LDAP and
Kerberos,
and some Linux (Redhat) clients who authenticate to it.
I'm able to get some tickets for the users who are in the Active
Directory, but SSH behaves a bit strange.
I can always ssh to the same machine again.
Like
#foo: ssh foo
but I can't ssh to any other computers. I always get a Permission
denied.
I've only enabled gssapi authentication, all others are disabled.
Debug output of ssh didn't get me any further.
Hi Roman,
Did you create the host principal and keytab for the target server?
I suspect yes or the inital credential forwarding would not work
either.
Also, you'll need a .k5login file in the home directory of the
target:
$ cat ~/.k5login
[EMAIL PROTECTED]
You do not NEED a .k5login file. It may be useful in certain
environments, but it is not required.
Google for info about the above and you should find a tutorial I
would think.
You probably need to:
1) ensure that forwardable tickets are being obtained (I suspect
this is
already the case)
2) set GSSAPIDelegateCredentials yes for ssh and/or sshd
<<CDC
First of all thanks for your ideas!
So to go to all questions and sugestions:
Yes I've got the principals and keytab files. They were created in the
active directory, and then shared to the linux clients over some samba
stuff.
I don't have the .k5login files, because the users from LDAP don't
have homedirectories (because the working usermanagement is running
over NIS, LDAP is just a test setup).
The Tickets are forwardable, although I think this isn't important if
I'm just logging in from one machine to another.
GSSAPIDelegateCredentials is activated.
The strange thing I don't understand is, that I get a valid hostticket
for the remote computer, even though I get a permission denied.
The debug output from the ssh server tells me:
debug1: Unspecified GSS failure. Minor code may provide more
information
Wrong principal in request
debug1: Got no client credentials
I've been searching for some hints on that for quite a while, and I
found two possible failures:
1. this is a ssh related bug
2. I've got bad keytab files
Hope you can help me out with that!
Greets Roman
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
