Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi, I have now managed to succeed in doing passwordless ssh logins via kerberos/samba4 without the GSSAPIStrictAcceptorCheck trick or hacking the krb5.keytab file. My samba4 setup is actually a bit special compared to a normal samba4 setup in that I am running samba4 on top of a corosync/pacemaker high availability cluster. It does complicate things a bit in that samba4 is running on a machine with more than one hostname and ip address. I wanted samba4 to run on a virtual ip/hostname using corosync. Whenever a node become the primary node in a cluster, it automatically allocates a virtual ip by doing an ip alias. So for example, eth0 would have a normal ip fx 10.0.0.1, but when this machine became the active node, it would also have a eth0:0 with ip fx, 10.0.0.10 and samba4/bind9/whatever services would bind only to that virtual ip address. Unfortunately, some services such as sshd queries the hostname of the name and that usually does not match the virtual hostname - hence we get Wrong principal in request. The solution was to make the active node temporarily have the same hostname as the virtual hostname. So anyways, here are the required items for passwordless ssh to work with kerberos: - on the machine where sshd runs, make sure the command hostname -f returns the correct fully qualified domain name that you want to connect to via ssh - on the machine where sshd runs, make sure you have a valid krb5.keytab file in /etc/ - (sshd looks for it) - on the machine where sshd runs, make sure you have host/fully qualified domain name exported to the /etc/krb5.keytab samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/cofil01.mydomain.net Note: You don't need to have an existing krb5.keytab for samba-tool domain exportkeytab to work. So a minimal sshd working keytab would have this using klist -ke /etc/krb5.keytab: Keytab name: FILE:krb5.keytab KVNO Principal -- 1 host/cofil01.mydomain.net @ MYDOMAIN.NET (des-cbc-crc) 1 host/cofil01.mydomain.net @ MYDOMAIN.NET (des-cbc-md5) 1 host/cofil01.mydomain.net @ MYDOMAIN.NET (arcfour-hmac) Remember to do a kinit user before doing a ssh -l user server if you are not using a Single Sign On solution. Hope this helps other people with there kerberos hacking! :-) br, Quinn On Thu, Jul 19, 2012 at 9:34 PM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, Maybe I can help with this: That's it. Now I just have to see if I can get a host/ server.mydomain.net principal into the samba domain somehow. I just tried to get rid of the GSSAPIStrictAcceptorCheck no option myself on the Samba 4 DC - while still using GSSAPI based ssh login. Doing this involves a very, very dirty hack: 1. Copy samba 4 secrets.keytab to /etc/krb5.keytab (this one contains upper case HOST/ principals). 2. Principal names are stored as strings in the keytab, so let's use sed to turn upper into lower case (yes I know, this is very, very dirty - but it's just a prove of what I suspected): sed -i s+HOST+host+g /etc/krb5.keytab 3. Remove the GSSAPIStrictAcceptorCheck no option from sshd_config and restart sshd. 4. Try to log in using ssh - works for me (and I hope for everyone else). Somehow MS AD and therefore Samba 4 seem to treat principals case insensitive, while standard kerberos implementations are case sensitive. BTW: klist reports a host/... principal (lower case), after trying a GSSAPI ssh login - so this is the principal sent by ssh to the server, that looks for a match in krb5.keytab - and fails because by default we only have HOST/... principal there. I guess the easiest way would be to store principals in lower case only during a provision run of samba4. This may however cause other problems - I guess some samba core developer needs to have a look at this. But the only principal I ever encountered, that needed to be upper case was the HTTP/ one ... Hope this helps, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Donnerstag, 19. Juli 2012 16:23 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, Using the following tutorials: https://help.ubuntu.com/community/SingleSignOn https://help.ubuntu.com/community/Kerberos I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter GSSAPIStrictAcceptorCheck no) on a normal kerberos server setup. I learned from this that ssh requires host/server.mydomain.net @ MYDOMAIN.NET in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab. On the client, /etc/ssh/ssh_config requires at least
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi, Using the following tutorials: https://help.ubuntu.com/community/SingleSignOn https://help.ubuntu.com/community/Kerberos I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter GSSAPIStrictAcceptorCheck no) on a normal kerberos server setup. I learned from this that ssh requires host/server.mydomain.net @ MYDOMAIN.NET in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab. On the client, /etc/ssh/ssh_config requires at least GSSAPIAuthentication yes. sshd requires at least KerberosAuthentication yes and GSSAPIAuthentication yes in the /etc/ssh/sshd_config. On a real kerberos server, you use the following commands in the kadmin tool to add the necessary principals for ssh to work properly: addprinc user# Adds a valid user to the kerberos principal database addprinc -randkey host/server.mydomain.net # Adds a host principal to the principal database ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals host/server.mydomain.net to the /etc/krb5.keytab Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On the client side, kinit user, then ssh -l user server That's it. Now I just have to see if I can get a host/server.mydomain.net principal into the samba domain somehow. Note: once I get single-sign-on to work, then it should not be necessary to do a kinit first. br, Quinn On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel qie...@gmail.com wrote: I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-) br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel qie...@gmail.com wrote: Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- Best regards/Med venlig hilsen, Quinn Plattel -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Quinn, Maybe I can help with this: That's it. Now I just have to see if I can get a host/server.mydomain.net principal into the samba domain somehow. I just tried to get rid of the GSSAPIStrictAcceptorCheck no option myself on the Samba 4 DC - while still using GSSAPI based ssh login. Doing this involves a very, very dirty hack: 1. Copy samba 4 secrets.keytab to /etc/krb5.keytab (this one contains upper case HOST/ principals). 2. Principal names are stored as strings in the keytab, so let's use sed to turn upper into lower case (yes I know, this is very, very dirty - but it's just a prove of what I suspected): sed -i s+HOST+host+g /etc/krb5.keytab 3. Remove the GSSAPIStrictAcceptorCheck no option from sshd_config and restart sshd. 4. Try to log in using ssh - works for me (and I hope for everyone else). Somehow MS AD and therefore Samba 4 seem to treat principals case insensitive, while standard kerberos implementations are case sensitive. BTW: klist reports a host/... principal (lower case), after trying a GSSAPI ssh login - so this is the principal sent by ssh to the server, that looks for a match in krb5.keytab - and fails because by default we only have HOST/... principal there. I guess the easiest way would be to store principals in lower case only during a provision run of samba4. This may however cause other problems - I guess some samba core developer needs to have a look at this. But the only principal I ever encountered, that needed to be upper case was the HTTP/ one ... Hope this helps, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Donnerstag, 19. Juli 2012 16:23 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, Using the following tutorials: https://help.ubuntu.com/community/SingleSignOn https://help.ubuntu.com/community/Kerberos I have now managed to get passwordless ssh logins via kerberos working (without using the /etc/ssh/sshd_config parameter GSSAPIStrictAcceptorCheck no) on a normal kerberos server setup. I learned from this that ssh requires host/server.mydomain.net @ MYDOMAIN.NET in the principal database and also exported to a keytab located on the server which sshd is running in the location /etc/krb5.keytab. On the client, /etc/ssh/ssh_config requires at least GSSAPIAuthentication yes. sshd requires at least KerberosAuthentication yes and GSSAPIAuthentication yes in the /etc/ssh/sshd_config. On a real kerberos server, you use the following commands in the kadmin tool to add the necessary principals for ssh to work properly: addprinc user# Adds a valid user to the kerberos principal database addprinc -randkey host/server.mydomain.net # Adds a host principal to the principal database ktadd -k /etc/krb5.keytab host/server.mydomain.net # exports the principals host/server.mydomain.net to the /etc/krb5.keytab Restart sshd to be sure it picks up the updated /etc/krb5.keytab file. On the client side, kinit user, then ssh -l user server That's it. Now I just have to see if I can get a host/server.mydomain.net principal into the samba domain somehow. Note: once I get single-sign-on to work, then it should not be necessary to do a kinit first. br, Quinn On Mon, Jul 16, 2012 at 2:34 PM, Quinn Plattel qie...@gmail.com wrote: I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-) br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel qie...@gmail.com wrote: Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- Best regards/Med venlig hilsen, Quinn Plattel -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
I think I take this back. This more a workaround than a solution. The workaround makes sshd use any principal found in the database, but a proper kerberos setup would look for the client's hostname principal only. The search goes on for a proper samba4 kerberos setup. :-) br, Quinn On Tue, Jul 10, 2012 at 4:07 PM, Quinn Plattel qie...@gmail.com wrote: Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
If you configure PAM and kerberos properly, you do not need to do a kinit first. I get them automatically when I login. They automatically renew when I type my password into the GNOME screensaver. Btw, I am also using Samba 3, not Samba4. On 07/11/2012 03:07 AM, Quinn Plattel wrote: Btw, forgot to mention, when testing, make sure on the client you do a kinit user to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the klist command. br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel qie...@gmail.com wrote: Hi Marcel, On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii libpam-krb5 4.5-3 PAM module for MIT Kerberos ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1secure shell (SSH) server, for secure access from remote machines samba Version 4.0.0beta3-GIT-UNKNOWN Without GSSAPIStrictAcceptorCheck no you need an fqdn in the clients /etc/hosts file and have all the principals needed added to the servers keytab file, but this is not necessary if you use the parameter. With the parameter, the only thing you need is to make sure is that on the server /var/lib/samba/secrets.keytab is copied or linked to /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is without copying any extra principals into it. You can have a very simple /etc/hosts on the client such as: 127.0.0.1localhost 127.0.1.1ubuntu-test This setup probably only works for ssh kerberos. nfsv4, pam logins, and other kerberos aware services may need strict checking. That is my next research project. For ssh debugging, on the server I used -ddd for sshd and looked at both syslog and auth.log under /var/log. On the client, I used ssh -vvvl user server For kerberos samba4 debugging, start samba with -d 5 parameter and then tail -f /var/log/samba/log.samba|grep Kerberos: br, Quinn On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Marcel, On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii libpam-krb5 4.5-3 PAM module for MIT Kerberos ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1secure shell (SSH) server, for secure access from remote machines samba Version 4.0.0beta3-GIT-UNKNOWN Without GSSAPIStrictAcceptorCheck no you need an fqdn in the clients /etc/hosts file and have all the principals needed added to the servers keytab file, but this is not necessary if you use the parameter. With the parameter, the only thing you need is to make sure is that on the server /var/lib/samba/secrets.keytab is copied or linked to /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is without copying any extra principals into it. You can have a very simple /etc/hosts on the client such as: 127.0.0.1localhost 127.0.1.1ubuntu-test This setup probably only works for ssh kerberos. nfsv4, pam logins, and other kerberos aware services may need strict checking. That is my next research project. For ssh debugging, on the server I used -ddd for sshd and looked at both syslog and auth.log under /var/log. On the client, I used ssh -vvvl user server For kerberos samba4 debugging, start samba with -d 5 parameter and then tail -f /var/log/samba/log.samba|grep Kerberos: br, Quinn On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Btw, forgot to mention, when testing, make sure on the client you do a kinit user to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the klist command. br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel qie...@gmail.com wrote: Hi Marcel, On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii libpam-krb5 4.5-3 PAM module for MIT Kerberos ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1secure shell (SSH) server, for secure access from remote machines samba Version 4.0.0beta3-GIT-UNKNOWN Without GSSAPIStrictAcceptorCheck no you need an fqdn in the clients /etc/hosts file and have all the principals needed added to the servers keytab file, but this is not necessary if you use the parameter. With the parameter, the only thing you need is to make sure is that on the server /var/lib/samba/secrets.keytab is copied or linked to /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is without copying any extra principals into it. You can have a very simple /etc/hosts on the client such as: 127.0.0.1localhost 127.0.1.1ubuntu-test This setup probably only works for ssh kerberos. nfsv4, pam logins, and other kerberos aware services may need strict checking. That is my next research project. For ssh debugging, on the server I used -ddd for sshd and looked at both syslog and auth.log under /var/log. On the client, I used ssh -vvvl user server For kerberos samba4 debugging, start samba with -d 5 parameter and then tail -f /var/log/samba/log.samba|grep Kerberos: br, Quinn On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Dienstag, 10. Juli 2012 16:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi Quinn, thanks for your hint: I still had an old out-of-date /etc/krb5.keytab from a former installation of samba4 :-( I simply copied secrets.keytab to /etc/krb5.keytab an everything worked as described. I'd really be interested in your progress concerning NFS4 - I've tried to get this working some time ago - with mixed results in a real Active Directory environment, so maybe I can repay my debt ;-) However, doing secure NFS using Samba4 DC would be pretty cool :-) Bye, Marcel -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Quinn Plattel Gesendet: Mittwoch, 11. Juli 2012 10:08 An: samba Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved] Btw, forgot to mention, when testing, make sure on the client you do a kinit user to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the klist command. br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel qie...@gmail.com wrote: Hi Marcel, On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii libpam-krb5 4.5-3 PAM module for MIT Kerberos ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): ii krb5-config 2.2 Configuration files for Kerberos Version 5 ii krb5-locales 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for MIT Kerberos ii krb5-user 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate using MIT Kerberos ii libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism ii libkrb5-26-heimdal 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries ii libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries ii libkrb5support0 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - Support library ii openssh-client 1:5.9p1-5ubuntu1secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:5.9p1-5ubuntu1secure shell (SSH) server, for secure access from remote machines samba Version 4.0.0beta3-GIT-UNKNOWN Without GSSAPIStrictAcceptorCheck no you need an fqdn in the clients /etc/hosts file and have all the principals needed added to the servers keytab file, but this is not necessary if you use the parameter. With the parameter, the only thing you need is to make sure is that on the server /var/lib/samba/secrets.keytab is copied or linked to /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is without copying any extra principals into it. You can have a very simple /etc/hosts on the client such as: 127.0.0.1localhost 127.0.1.1ubuntu-test This setup probably only works for ssh kerberos. nfsv4, pam logins, and other kerberos aware services may need strict checking. That is my next research project. For ssh debugging, on the server I used -ddd for sshd and looked at both syslog and auth.log under /var/log. On the client, I used ssh -vvvl user server For kerberos samba4 debugging, start samba with -d 5 parameter and then tail -f /var/log/samba/log.samba|grep Kerberos: br, Quinn On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE marcel.rit...@rrze.fau.de wrote: Hi Quinn, I just tried your solution (my machine is also multi-homed). However it doesn't work for me. The man-page of sshd_config also states, that the behavior of GSSAPIStrictAcceptorCheck may depend on the used krb5 libraries. Could you please have a look at the krb5 and openssh versions you're using (and perhaps the linux distribution/version)? BTW: I'm running: Ubuntu 12.04 LTS openssh-server 5.9p1-5ubuntu1 libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 auth.log mentions (during failed login): Unspecified GSS failure. Minor code may provide more information: Wrong principal in request Thanks,
Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]
Hi, I solved my ssh GSSAPI problem. There were a lot of solutions on google referring to a proper fqdn in the /etc/hosts file and having the fqdn's/principals in the kerberos server's keytab file but I found out that my problem was that the samba4/kerberos server was running on a multi-homed machine and that the ssh server kerberos authentication needed the following parameter in order for it to work on multi-homed machines: GSSAPIStrictAcceptorCheck no The default is yes, using no will, according to the manpage clients may authenticate against any service key stored in the machine's default store. I hope this helps others that have similar setups as I do. Thank you all for your input. br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba