Active Directory LDAP SSH
Roman.Schoenbichler@gmail.com
Roman.Schoenbichler at gmail.com
Wed Sep 5 02:45:13 EDT 2007
On 4 Sep., 20:26, "Christopher D. Clausen" <cclau... at acm.org> wrote:
> Michael B Allen <iop... at gmail.com> wrote:
>
>
>
> > On 9/4/07, Roman S <kleinerroe... at hotmail.com> wrote:
> >> I've configured a Microsoft Active Directory with LDAP and Kerberos,
> >> and some Linux (Redhat) clients who authenticate to it.
> >> I'm able to get some tickets for the users who are in the Active
> >> Directory, but SSH behaves a bit strange.
>
> >> I can always ssh to the same machine again.
> >> Like
> >> #foo: ssh foo
>
> >> but I can't ssh to any other computers. I always get a Permission
> >> denied.
> >> I've only enabled gssapi authentication, all others are disabled.
> >> Debug output of ssh didn't get me any further.
>
> > Hi Roman,
>
> > Did you create the host principal and keytab for the target server?
>
> I suspect yes or the inital credential forwarding would not work either.
>
> > Also, you'll need a .k5login file in the home directory of the target:
>
> > $ cat ~/.k5login
> > al... at EXAMPLE.COM
>
> You do not NEED a .k5login file. It may be useful in certain
> environments, but it is not required.
>
> > Google for info about the above and you should find a tutorial I
> > would think.
>
> You probably need to:
> 1) ensure that forwardable tickets are being obtained (I suspect this is
> already the case)
> 2) set GSSAPIDelegateCredentials yes for ssh and/or sshd
>
> <<CDC
First of all thanks for your ideas!
So to go to all questions and sugestions:
Yes I've got the principals and keytab files. They were created in the
active directory, and then shared to the linux clients over some samba
stuff.
I don't have the .k5login files, because the users from LDAP don't
have homedirectories (because the working usermanagement is running
over NIS, LDAP is just a test setup).
The Tickets are forwardable, although I think this isn't important if
I'm just logging in from one machine to another.
GSSAPIDelegateCredentials is activated.
The strange thing I don't understand is, that I get a valid hostticket
for the remote computer, even though I get a permission denied.
The debug output from the ssh server tells me:
debug1: Unspecified GSS failure. Minor code may provide more
information
Wrong principal in request
debug1: Got no client credentials
I've been searching for some hints on that for quite a while, and I
found two possible failures:
1. this is a ssh related bug
2. I've got bad keytab files
Hope you can help me out with that!
Greets Roman
More information about the Kerberos
mailing list