Active Directory LDAP SSH

Richard E. Silverman res at qoxp.net
Wed Sep 5 07:58:23 EDT 2007 

>>>>> "RS" == Roman Schoenbichler <Roman.Schoenbichler at gmail.com> writes:

    RS> On 4 Sep., 20:26, "Christopher D. Clausen" <cclau... at acm.org>
    RS> wrote:
    >> Michael B Allen <iop... at gmail.com> wrote:
    >> 
    >> 
    >> 
    >> > On 9/4/07, Roman S <kleinerroe... at hotmail.com> wrote:
    >> >> I've configured a Microsoft Active Directory with LDAP and
    >> Kerberos, >> and some Linux (Redhat) clients who authenticate to
    >> it.  >> I'm able to get some tickets for the users who are in the
    >> Active >> Directory, but SSH behaves a bit strange.
    >> 
    >> >> I can always ssh to the same machine again.  >> Like >> #foo:
    >> ssh foo
    >> 
    >> >> but I can't ssh to any other computers. I always get a
    >> Permission >> denied.  >> I've only enabled gssapi authentication,
    >> all others are disabled.  >> Debug output of ssh didn't get me any
    >> further.
    >> 
    >> > Hi Roman,
    >> 
    >> > Did you create the host principal and keytab for the target
    >> server?
    >> 
    >> I suspect yes or the inital credential forwarding would not work
    >> either.
    >> 
    >> > Also, you'll need a .k5login file in the home directory of the
    >> target:
    >> 
    >> > $ cat ~/.k5login > al... at EXAMPLE.COM
    >> 
    >> You do not NEED a .k5login file.  It may be useful in certain
    >> environments, but it is not required.
    >> 
    >> > Google for info about the above and you should find a tutorial I
    >> > would think.
    >> 
    >> You probably need to: 1) ensure that forwardable tickets are being
    >> obtained (I suspect this is already the case) 2) set
    >> GSSAPIDelegateCredentials yes for ssh and/or sshd
    >> 
    >> <<CDC

    RS> First of all thanks for your ideas!

    RS> So to go to all questions and sugestions: Yes I've got the
    RS> principals and keytab files. They were created in the active
    RS> directory, and then shared to the linux clients over some samba
    RS> stuff.  I don't have the .k5login files, because the users from
    RS> LDAP don't have homedirectories (because the working
    RS> usermanagement is running over NIS, LDAP is just a test setup).
    RS> The Tickets are forwardable, although I think this isn't important
    RS> if I'm just logging in from one machine to another.
    RS> GSSAPIDelegateCredentials is activated.

    RS> The strange thing I don't understand is, that I get a valid
    RS> hostticket for the remote computer, even though I get a permission
    RS> denied.  The debug output from the ssh server tells me: debug1:
    RS> Unspecified GSS failure.  Minor code may provide more information
    RS> Wrong principal in request

This usually means that the server's own idea of its fqdn does not match
the ticket.  There may be a misconfiguration of the DNS or /etc/hosts file
on the server.

    RS> debug1: Got no client credentials

    RS> I've been searching for some hints on that for quite a while, and
    RS> I found two possible failures: 1. this is a ssh related bug
    RS> 2. I've got bad keytab files

    RS> Hope you can help me out with that!

    RS> Greets Roman


-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list