LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 08-03-2010, 02:59 AM   #1
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Rep: Reputation: 31
ssh and kerberos in RHEL


Hallo:

I've my RHEL4u4 integrated with Active Directory.

I can logon to computer with username/passwd from AD.

But if I try to use ssh, is doesn't work

When I try to connect to the same computer using kerberos I receive this messages:

ssh -vv server.domain.com
....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
...

and it tries to use publickey and finally, user/pass.

What do I've have do for using ssh and kerberos? I use samba for joining computer to AD. I tried it in ubuntu 8.04 and likewise-open and it works, but not in RH-Samba.
Any help?

Thanks
 
Old 08-03-2010, 11:01 PM   #2
lartman
LQ Newbie
 
Registered: Jan 2004
Location: Sydney, Australia
Distribution: RHEL
Posts: 22

Rep: Reputation: 17
What is the rest of the ssh -vv output?
 
Old 08-04-2010, 06:27 AM   #3
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Original Poster
Rep: Reputation: 31
Hallo:

Connecting from Ubuntu to Ubuntu WORKS.
Connecting form RH to Ubuntu DOESN'T work.
Connection from Ubuntu to RH DOESN'T work.
Connection from RH to RH DOESN'T work.


Conneting to RH samba shares works fine. Start session with user/pass from AD works fine.

Problem is I can't start a session using kerberos.

If connect from RH to Ubuntu, this messages is displayed:
..
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
...
And I'm asked for AD password. If I type it, I start session. But not kerberos connection has been possible.

I connect from Ubuntu to RH:
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user1/.ssh/identity ((nil))
debug2: key: /home/user1/.ssh/id_rsa (0xb77dadf0)
debug2: key: /home/user1/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information


debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
debug3: no such identity: /home/user1/.ssh/identity
debug1: Offering public key: /home/user1/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug3: no such identity: /home/user1/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

What I'm interested is in connecting to RH using kerberos.

Any idea?

Thanks
 
Old 08-04-2010, 11:37 AM   #4
lartman
LQ Newbie
 
Registered: Jan 2004
Location: Sydney, Australia
Distribution: RHEL
Posts: 22

Rep: Reputation: 17
Quote:
Originally Posted by Felipe View Post
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
this is the problem.

does the host you are trying to connect to have a keytab? /etc/krb5.keytab
is there a krb principal for the host?

Create them on the Redhat box. As root:
Quote:
net ads keytab create -U Administrator
net ads keytab add host/hostname.my.fqdn@AD.DOMAIN

Last edited by lartman; 08-04-2010 at 11:41 AM. Reason: clarify which linux box to create the keytab
 
Old 08-04-2010, 01:02 PM   #5
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Original Poster
Rep: Reputation: 31
Thanks for your help.
I'm getting fool..

What I've done from the last post.

- Install a new RHEL 5.5.
- Add it to a W2003 AD.

As in the other computers, I can authenticate to RH using users of AD.
Now I start a session with a user of AD. And using Nautilus I can access Windows Shares without being asked for user/pass. So I suppose it's joined to AD.

Next, I've executed commands you have told me and no error has been displayed.

Also, I've modified smb.conf and added (when running your commands I was advised to do it):
use kerberos keytab = Yes

I've modified /etc/ssh/ssh_config with:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Also modified /etc/ssh/sshd_config with:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes


Now, when I run ssh -v machine.fqdn, this message is displayed:

...
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
...



And now I don't know what else I can do. I also tried with OpenSuse 11.2 and had the same problem...

Thanks.
 
Old 08-04-2010, 06:44 PM   #6
lartman
LQ Newbie
 
Registered: Jan 2004
Location: Sydney, Australia
Distribution: RHEL
Posts: 22

Rep: Reputation: 17
Quote:
Originally Posted by Felipe View Post
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
2 more things to check. selinux and reverse address lookup

On the redhat box:
Verify that /etc/krb5.keytabs was created correctly. Check the file exists and is not empty.

ssh -vvv redhat_box
 
Old 08-05-2010, 02:34 AM   #7
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Original Poster
Rep: Reputation: 31
The connections I'm trying is from to the same computer and with the same user: From RHEL 5.5 to the itself.

computer1:user1$ ssh -vv computer1.dom.com

The krb5.keytab exists and even it's a binary file, I can see with a cat that the computer has been added.

I've repeated all the process, rejoining it to AD. The messages are:
...
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address x.x.x.x
debug2: we sent a gssapi-with-mic packet, wait for reply
debug2: channel 0: window 999357 sent adjust 49219
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
...

Please, any suggestion... If you need my exact files configuration, I can put them here.

Can any tell me if Kerberos works in Linux if KDC is Windows2000/2003? I only can use it in Ubuntu with LikeWise. Not able with RHEL 4.4/5.5, OpenSuse 11.2.

Thanks

Last edited by Felipe; 08-05-2010 at 05:11 AM.
 
Old 08-05-2010, 07:05 AM   #8
lartman
LQ Newbie
 
Registered: Jan 2004
Location: Sydney, Australia
Distribution: RHEL
Posts: 22

Rep: Reputation: 17
Is selinux set to permissive?
What does /var/log/messages say when you ssh?
 
Old 08-05-2010, 07:36 AM   #9
lartman
LQ Newbie
 
Registered: Jan 2004
Location: Sydney, Australia
Distribution: RHEL
Posts: 22

Rep: Reputation: 17
Also Win2003 uses rc4-hmac. Add this to the [libdefaults] section of /etc/krb5.conf.

default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt_entypes = rc4-hmac des-cbc-md5
permitted_entypes = rc4-hmac des-cbc-md5
 
Old 08-06-2010, 01:21 AM   #10
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Original Poster
Rep: Reputation: 31
Hallo:

Yesterday I restarted the computer and finally it worked.
But now, I don't know why it works and why id didn't worked before.

Now I'm trying with the real computer (the other was for testing purposes) and it doesn't work.
I'm copying smb.conf, system-auth, sshd_config, ssh_config from one computer to the other.

The configuration of the real computer is a bit more complicated because the FQDN of the computer is:
computer1.dom1.com and is joined to AD Win2000 whose domain is:
dom2.net.
The dom1.com is also a domain from AD W2000. But I don't know if cross domain works fine. It works for authenticating users and samba shares, but don't know if it works fine with kerberos.

Now the error I find is:

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey

I've found this error before and I don't know why disappeared in the other machine.
In the current machine (where the error appears) I've joined it to AD and created the keytab.
DNS solves direct and reverse the fqdn from the machine.
I can create tickets with kinit user@DOM2.NET

This errors is references as a DNS problem. I'm going to check (I'm not a DNS administrator). Possible for DNS reverse....

If I find the problem, I'll come back and write it.

Thanks

Last edited by Felipe; 08-06-2010 at 08:19 AM.
 
Old 08-10-2010, 07:58 AM   #11
Felipe
Member
 
Registered: Oct 2006
Posts: 289

Original Poster
Rep: Reputation: 31
Finally it was a DNS problem. My computer has more than one public name and the reverse name was not the same that the name of the computer (it only has 1 ip).

Thanks for your help.
 
  


Reply

Tags
kerberos, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos and SSH ceph Linux - Server 0 08-03-2009 11:28 AM
Kerberos and SSH l0rddarkf0rce Linux - Server 0 10-26-2008 04:50 PM
SSH and Kerberos l0rddarkf0rce Ubuntu 0 10-26-2008 02:30 AM
can't get Kerberos telnet daemon running on RHEL 3 nickgarnett Linux - Networking 0 11-21-2006 04:58 PM
rhel put kerberos headers in wrong place Ratclaws Linux - Enterprise 0 12-09-2005 11:57 AM


All times are GMT -5. The time now is 04:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration