Active Directory LDAP SSH
Richard E. Silverman
res at qoxp.net
Wed Sep 5 07:58:23 EDT 2007
>>>>> "RS" == Roman Schoenbichler <Roman.Schoenbichler at gmail.com> writes:
RS> On 4 Sep., 20:26, "Christopher D. Clausen" <cclau... at acm.org>
RS> wrote:
>> Michael B Allen <iop... at gmail.com> wrote:
>>
>>
>>
>> > On 9/4/07, Roman S <kleinerroe... at hotmail.com> wrote:
>> >> I've configured a Microsoft Active Directory with LDAP and
>> Kerberos, >> and some Linux (Redhat) clients who authenticate to
>> it. >> I'm able to get some tickets for the users who are in the
>> Active >> Directory, but SSH behaves a bit strange.
>>
>> >> I can always ssh to the same machine again. >> Like >> #foo:
>> ssh foo
>>
>> >> but I can't ssh to any other computers. I always get a
>> Permission >> denied. >> I've only enabled gssapi authentication,
>> all others are disabled. >> Debug output of ssh didn't get me any
>> further.
>>
>> > Hi Roman,
>>
>> > Did you create the host principal and keytab for the target
>> server?
>>
>> I suspect yes or the inital credential forwarding would not work
>> either.
>>
>> > Also, you'll need a .k5login file in the home directory of the
>> target:
>>
>> > $ cat ~/.k5login > al... at EXAMPLE.COM
>>
>> You do not NEED a .k5login file. It may be useful in certain
>> environments, but it is not required.
>>
>> > Google for info about the above and you should find a tutorial I
>> > would think.
>>
>> You probably need to: 1) ensure that forwardable tickets are being
>> obtained (I suspect this is already the case) 2) set
>> GSSAPIDelegateCredentials yes for ssh and/or sshd
>>
>> <<CDC
RS> First of all thanks for your ideas!
RS> So to go to all questions and sugestions: Yes I've got the
RS> principals and keytab files. They were created in the active
RS> directory, and then shared to the linux clients over some samba
RS> stuff. I don't have the .k5login files, because the users from
RS> LDAP don't have homedirectories (because the working
RS> usermanagement is running over NIS, LDAP is just a test setup).
RS> The Tickets are forwardable, although I think this isn't important
RS> if I'm just logging in from one machine to another.
RS> GSSAPIDelegateCredentials is activated.
RS> The strange thing I don't understand is, that I get a valid
RS> hostticket for the remote computer, even though I get a permission
RS> denied. The debug output from the ssh server tells me: debug1:
RS> Unspecified GSS failure. Minor code may provide more information
RS> Wrong principal in request
This usually means that the server's own idea of its fqdn does not match
the ticket. There may be a misconfiguration of the DNS or /etc/hosts file
on the server.
RS> debug1: Got no client credentials
RS> I've been searching for some hints on that for quite a while, and
RS> I found two possible failures: 1. this is a ssh related bug
RS> 2. I've got bad keytab files
RS> Hope you can help me out with that!
RS> Greets Roman
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list