Active Directory LDAP SSH

Wed Sep 5 04:50:25 EDT 2007

Roman - the following may help.
-------------- next part --------------

On 05/09/2007, at 4:45 PM, Roman.Schoenbichler at gmail.com wrote:

> On 4 Sep., 20:26, "Christopher D. Clausen" <cclau... at acm.org> wrote:
>> Michael B Allen <iop... at gmail.com> wrote:
>>
>>
>>
>>> On 9/4/07, Roman S <kleinerroe... at hotmail.com> wrote:
>>>> I've configured a Microsoft Active Directory with LDAP and  
>>>> Kerberos,
>>>> and some Linux (Redhat) clients who authenticate to it.
>>>> I'm able to get some tickets for the users who are in the Active
>>>> Directory, but SSH behaves a bit strange.
>>
>>>> I can always ssh to the same machine again.
>>>> Like
>>>> #foo: ssh foo
>>
>>>> but I can't ssh to any other computers. I always get a Permission
>>>> denied.
>>>> I've only enabled gssapi authentication, all others are disabled.
>>>> Debug output of ssh didn't get me any further.
>>
>>> Hi Roman,
>>
>>> Did you create the host principal and keytab for the target server?
>>
>> I suspect yes or the inital credential forwarding would not work  
>> either.
>>
>>> Also, you'll need a .k5login file in the home directory of the  
>>> target:
>>
>>>  $ cat ~/.k5login
>>>  al... at EXAMPLE.COM
>>
>> You do not NEED a .k5login file.  It may be useful in certain
>> environments, but it is not required.
>>
>>> Google for info about the above and you should find a tutorial I
>>> would think.
>>
>> You probably need to:
>> 1) ensure that forwardable tickets are being obtained (I suspect  
>> this is
>> already the case)
>> 2) set GSSAPIDelegateCredentials yes for ssh and/or sshd
>>
>> <<CDC
>
> First of all thanks for your ideas!
>
> So to go to all questions and sugestions:
> Yes I've got the principals and keytab files. They were created in the
> active directory, and then shared to the linux clients over some samba
> stuff.
> I don't have the .k5login files, because the users from LDAP don't
> have homedirectories (because the working usermanagement is running
> over NIS, LDAP is just a test setup).
> The Tickets are forwardable, although I think this isn't important if
> I'm just logging in from one machine to another.
> GSSAPIDelegateCredentials is activated.
>
> The strange thing I don't understand is, that I get a valid hostticket
> for the remote computer, even though I get a permission denied.
> The debug output from the ssh server tells me:
> debug1: Unspecified GSS failure.  Minor code may provide more
> information
> Wrong principal in request
>
> debug1: Got no client credentials
>
> I've been searching for some hints on that for quite a while, and I
> found two possible failures:
> 1. this is a ssh related bug
> 2. I've got bad keytab files
>
> Hope you can help me out with that!
>
> Greets Roman
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>