Active Directory LDAP SSH

Christopher D. Clausen cclausen at acm.org
Tue Sep 4 14:26:25 EDT 2007


Michael B Allen <ioplex at gmail.com> wrote:
> On 9/4/07, Roman S <kleinerroemer at hotmail.com> wrote:
>> I've configured a Microsoft Active Directory with LDAP and Kerberos,
>> and some Linux (Redhat) clients who authenticate to it.
>> I'm able to get some tickets for the users who are in the Active
>> Directory, but SSH behaves a bit strange.
>>
>> I can always ssh to the same machine again.
>> Like
>> #foo: ssh foo
>>
>> but I can't ssh to any other computers. I always get a Permission
>> denied.
>> I've only enabled gssapi authentication, all others are disabled.
>> Debug output of ssh didn't get me any further.
>
> Hi Roman,
>
> Did you create the host principal and keytab for the target server?

I suspect yes or the inital credential forwarding would not work either.

> Also, you'll need a .k5login file in the home directory of the target:
>
>  $ cat ~/.k5login
>  alice at EXAMPLE.COM

You do not NEED a .k5login file.  It may be useful in certain 
environments, but it is not required.

> Google for info about the above and you should find a tutorial I
> would think.

You probably need to:
1) ensure that forwardable tickets are being obtained (I suspect this is 
already the case)
2) set GSSAPIDelegateCredentials yes for ssh and/or sshd

<<CDC 





More information about the Kerberos mailing list