How to connect to a Machine in a Different Domain
Hi
I have a machine that is joined to our PFS domain. It is accessed through SSH, telnet and Samba Shares. How can I connect to this machine via the above methods from a different domain (HQ)? HQ is a trusted domain and I have set allow trusted domains = yes. I am able to use wbinfo to authenticate the HQ user as hq+sxt007, however I am unable to SSH or telnet using that user. Part of the problem is that I don't know the format I should be using for the username when attempting to log on! I have tried hq+sxt007, hq\sxt007, hq\\sxt007 and sxt007@hq. Thanks Simon |
Hi,
sorry I have no idea what a "PFS domain" is, but this looks to be a question about ssh so this "domain" information may be to be irrelevant. Syntax for using ssh is: Code:
ssh username@hostname What happens if you try to ping the machine? Code:
ping hostname Assuming the ping works, what happens if you try to use ssh as described above? If it doesn't work try again with verbose output turned on: Code:
ssh -vvv username@hostname Evo2. PS. I've assumed here that sshd is really running and listening on port 22. |
Hi Evo2,
PFS is the name of the domain that the machine has joined. HQ is the name of the domain containing the user I would like to connect as. I am able to ssh has the user from PFS using ssh simon.tann@sbvx10603 and pfs+ssh simon.tann@sbvx10603, but am unable to ssh as my HQ user by using ssh sxt007@sbvx10603 or ssh hq+sxt007@sbvx10603. Heres the debug output: [simon.tann@sdvx10600 data]$ ssh -vvv hq+sxt007@sbvx10603 OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to sbvx10603 [10.0.5.108] port 22. debug1: Connection established. debug1: identity file /home/winnt/PFS/simon.tann/.ssh/identity type -1 debug1: identity file /home/winnt/PFS/simon.tann/.ssh/id_rsa type -1 debug1: identity file /home/winnt/PFS/simon.tann/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 122/256 debug2: bits set: 512/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /home/winnt/PFS/simon.tann/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: filename /home/winnt/PFS/simon.tann/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'sbvx10603' is known and matches the RSA host key. debug1: Found key in /home/winnt/PFS/simon.tann/.ssh/known_hosts:2 debug2: bits set: 497/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/winnt/PFS/simon.tann/.ssh/identity ((nil)) debug2: key: /home/winnt/PFS/simon.tann/.ssh/id_rsa ((nil)) debug2: key: /home/winnt/PFS/simon.tann/.ssh/id_dsa ((nil)) debug3: Wrote 80 bytes for a total of 1125 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 10.0.5.108. debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_15162' not found debug1: Unspecified GSS failure. Minor code may provide more information Credentials cache file '/tmp/krb5cc_15162' not found debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/winnt/PFS/simon.tann/.ssh/identity debug3: no such identity: /home/winnt/PFS/simon.tann/.ssh/identity debug1: Trying private key: /home/winnt/PFS/simon.tann/.ssh/id_rsa debug3: no such identity: /home/winnt/PFS/simon.tann/.ssh/id_rsa debug1: Trying private key: /home/winnt/PFS/simon.tann/.ssh/id_dsa debug3: no such identity: /home/winnt/PFS/simon.tann/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password hq+sxt007@sbvx10603's password: debug3: packet_send2: adding 48 (len 63 padlen 17 extra_pad 64) debug2: we sent a password packet, wait for reply debug3: Wrote 144 bytes for a total of 1269 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. |
Hi,
I still don't understand about "domains".. has this got something to do with microsoft protocols? Anyway onto the problem. From the output of ssh, things look pretty good. You've been able to connect to the sshd, but your authentication is failing. You seem to be using the username "hq+sxt007": that doesn't look like a legal username to me sinec it contains "+" can you confirm that user really exists on sbv10603? Eg check /etc/passwd on sbvx10603. I suspect you should be using sxt007 as the username. It is also worth checking the sshd logs on sbvx10603. Exactly which log file depends on what distro you are running. For example on a Debian (or Debian derived machine) you would look in /var/log/auth.log. Anyway please repeat this using sxt007 username. Cheers, Evo2. |
Hi Evo2
There are no local users set up on the machine - we use AD authentication through winbind. The plus symbol in the username is a replacement character that replaces the '\' (I think) that usually separates the domain name from the username. We can test the authentication by doing the following: [root@sbvx10603 PFS]# wbinfo -a hq+sxt007 Enter hq+sxt007's password: plaintext password authentication succeeded Enter hq+sxt007's password: challenge/response password authentication succeeded So I can tell that the authentication is working and that the machine can see the HQ domain. I just don't know how to log in using those credentials, or if there is any set up that I need to do to make that possible. Cheers Simon |
Hi,
ok, this is way out of my area of expertise: I have don't ever recall hearing of "AD or "winbind". Hopefully someone else can help you. Cheers, Evo2. |
Thanks for the attempt anyway! :D
|
I'm sure evo2 is just having a bad day ;)
AD=Active Directory. I had a quick google for Linux+ssh+Active Directory; lots of hits, this looks promising http://kadirsert.blogspot.com.au/201...ng-active.html |
Hi,
Quote:
Evo2, out. |
Quote:
Thanks anyway! :) |
All times are GMT -5. The time now is 10:26 AM. |