SSO Linux --> AD using GSSAPI

Carter, Joel JoelC at trailerwizards.com
Fri Nov 26 14:59:14 EST 2010 

Hey there.

Been spending a lot of my time recently upgrading our legacy app running
on RHEL3 to RHEL5. SSO was previously provided via Winbind, but things
seem to be moving away from that. Anyway, I'm almost there but have one
last stumbling block.

I have /etc/ldap.conf, /etc/krb5.conf, etc configured and can login
using an AD username to RHEL5 successfully. I also get a Kerberos ticket
(is that called a delegation?), which I can use further once I'm logged
in. This is using PuTTY:

login as: joelc
joelc at bilbo-rh5.local.ca's password:
Last login: Fri Nov 26 11:34:13 2010 from joelc.local.ca
 [joelc at bilbo-rh5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_20001_SwXGUD
Default principal: joelc at LOCAL.CA

Valid starting     Expires            Service principal
11/26/10 11:44:43  11/26/10 21:43:47  krbtgt/LOCAL.CA at LOCAL.CA
        renew until 11/26/10 21:44:43
11/26/10 11:43:47  11/26/10 21:43:47  ldap/hawaii.local.ca at LOCAL.CA
        renew until 11/26/10 21:44:43


Kerberos 4 ticket cache: /tmp/tkt20001
klist: You have no tickets cached

This is great. Now I can connect back out of RHEL5 to a share as follows
which also works:

smbclient -k //oahu/userdata -c "dir"

Now I'm going for the holy grail. I'd like to use GSSAPI in Quest PuTTY
(or other GSSAPI-enabled PuTTY if you have a suggestion) so that the
user's ticket in Windows is used to authenticate with RHEL5 and no
password entry is required. This works, but I don't have a ticket this
time. 

Using username "joelc".
Using GSSAPI service principal name "host/bilbo-rh5.local.ca".
Last login: Fri Nov 26 11:50:55 2010 from joelc.local.ca
[joelc at bilbo-rh5 ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_20001)

Kerberos 4 ticket cache: /tmp/tkt20001
klist: You have no tickets cached

Here's the debug information the sshd daemon dumped during that last
login:

Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: rexec start in 4 out 4
newsock 4 pipe 6 sock 7
Nov 26 11:53:19 bilbo-rh5 sshd[18149]: debug1: Forked child 19329.
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: inetd sockets after
dupping: 3, 3
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: Connection from 192.168.1.153
port 51043
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: Client protocol version
2.0; client software version PuTTY_Release_0.60_q1.129
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: no match:
PuTTY_Release_0.60_q1.129
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: Enabling compatibility
mode for protocol 2.0
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: Local version string
SSH-2.0-OpenSSH_4.3
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: permanently_set_uid:
74/74
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: list_hostkey_types:
ssh-rsa,ssh-dss
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_KEXINIT sent
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_KEXINIT received
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: kex: client->server
aes256-ctr hmac-sha1 none
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: kex: server->client
aes256-ctr hmac-sha1 none
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP
sent
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY
sent
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_NEWKEYS sent
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: expecting
SSH2_MSG_NEWKEYS
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: SSH2_MSG_NEWKEYS received
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: KEX done
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: userauth-request for user
joelc service ssh-connection method none
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: attempt 0 failures 0
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: PAM: initializing for
"joelc"
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: PAM: setting PAM_RHOST to
"joelc.local.ca"
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: PAM: setting PAM_TTY to
"ssh"
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: userauth-request for user
joelc service ssh-connection method gssapi-with-mic
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: debug1: attempt 1 failures 1
Nov 26 11:53:19 bilbo-rh5 sshd[19330]: Postponed gssapi-with-mic for
joelc from 192.168.1.153 port 51043 ssh2
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: Got no client credentials
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: Authorized to joelc, krb5
principal joelc at LOCAL.CA (krb5_kuserok)
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: do_pam_account: called
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: Accepted gssapi-with-mic for
joelc from 192.168.1.153 port 51043 ssh2
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: monitor_child_preauth:
joelc has been authenticated by privileged process
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: temporarily_use_uid:
20001/600 (e=0/0)
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: No credentials stored
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: restore_uid: 0/0
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: PAM: establishing
credentials
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: pam_unix(sshd:session): session
opened for user joelc by (uid=0)
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: PAM: reinitializing
credentials
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: permanently_set_uid:
20001/600
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: Entering interactive
session for SSH2.
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: server_init_dispatch_20
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1:
server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: input_session_request
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: channel 0: new
[server-session]
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_new: init
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_new: session 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_open: channel 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_open: session 0:
link with channel 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1:
server_input_channel_open: confirm session
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: server_input_channel_req:
channel 0 request x11-req reply 1
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_by_channel:
session 0 channel 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1:
session_input_channel_req: session 0 req x11-req
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: channel 1: new [X11 inet
listener]
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: channel 2: new [X11 inet
listener]
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: server_input_channel_req:
channel 0 request pty-req reply 1
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_by_channel:
session 0 channel 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1:
session_input_channel_req: session 0 req pty-req
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: Allocating pty.
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: session_new: init
Nov 26 11:53:19 bilbo-rh5 sshd[19329]: debug1: session_new: session 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_pty_req: session
0 alloc /dev/pts/1
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: server_input_channel_req:
channel 0 request shell reply 1
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1: session_by_channel:
session 0 channel 0
Nov 26 11:53:19 bilbo-rh5 sshd[19331]: debug1:
session_input_channel_req: session 0 req shell
Nov 26 11:53:19 bilbo-rh5 sshd[19332]: debug1: Setting controlling tty
using TIOCSCTTY.

The "debug1: Got no client credentials" doesn't look good. Is this a
delegation or ticket agent, I'm attempting? Any help would be greatly
appreciated! 

Thanks! Joel.

More information about the Kerberos mailing list