Hi Quinn,
I just tried your solution (my machine is also multi-homed). However it
doesn't work for me. The man-page of sshd_config also states, that the
behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
krb5 libraries.
Could you please have a look at the krb5 and openssh versions you're
using (and perhaps the linux distribution/version)?
BTW: I'm running:
Ubuntu 12.04 LTS
openssh-server 5.9p1-5ubuntu1
libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
auth.log mentions (during failed login):
Unspecified GSS failure.
Minor code may provide more information:
Wrong principal in request
Thanks,
Marcel
-----Ursprüngliche Nachricht-----
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Quinn Plattel
Gesendet: Dienstag, 10. Juli 2012 16:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's
kerberos GSSAPI? [Solved]
Hi,
I solved my ssh GSSAPI problem. There were a lot of solutions on google
referring to a proper fqdn in the /etc/hosts file and having the
fqdn's/principals in the kerberos server's keytab file but I found out that my
problem was that the samba4/kerberos server was running on a multi-homed
machine and that the ssh server kerberos authentication needed the following
parameter in order for it to work on multi-homed machines:
GSSAPIStrictAcceptorCheck no
The default is yes, using "no" will, according to the manpage "clients may
authenticate against any service key stored in the machine's default store."
I hope this helps others that have similar setups as I do.
Thank you all for your input.
br,
Quinn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
