ssh and kerberos in RHEL
Hallo:
I've my RHEL4u4 integrated with Active Directory. I can logon to computer with username/passwd from AD. But if I try to use ssh, is doesn't work When I try to connect to the same computer using kerberos I receive this messages: ssh -vv server.domain.com .... debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: publickey ... and it tries to use publickey and finally, user/pass. What do I've have do for using ssh and kerberos? I use samba for joining computer to AD. I tried it in ubuntu 8.04 and likewise-open and it works, but not in RH-Samba. Any help? Thanks |
What is the rest of the ssh -vv output?
|
Hallo:
Connecting from Ubuntu to Ubuntu WORKS. Connecting form RH to Ubuntu DOESN'T work. Connection from Ubuntu to RH DOESN'T work. Connection from RH to RH DOESN'T work. Conneting to RH samba shares works fine. Start session with user/pass from AD works fine. Problem is I can't start a session using kerberos. If connect from RH to Ubuntu, this messages is displayed: .. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Trying private key: /home/user1/.ssh/identity ... And I'm asked for AD password. If I type it, I start session. But not kerberos connection has been possible. I connect from Ubuntu to RH: ... debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/user1/.ssh/identity ((nil)) debug2: key: /home/user1/.ssh/id_rsa (0xb77dadf0) debug2: key: /home/user1/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/user1/.ssh/identity debug3: no such identity: /home/user1/.ssh/identity debug1: Offering public key: /home/user1/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug1: Trying private key: /home/user1/.ssh/id_dsa debug3: no such identity: /home/user1/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: What I'm interested is in connecting to RH using kerberos. Any idea? Thanks |
Quote:
does the host you are trying to connect to have a keytab? /etc/krb5.keytab is there a krb principal for the host? Create them on the Redhat box. As root: Quote:
|
Thanks for your help.
I'm getting fool.. What I've done from the last post. - Install a new RHEL 5.5. - Add it to a W2003 AD. As in the other computers, I can authenticate to RH using users of AD. Now I start a session with a user of AD. And using Nautilus I can access Windows Shares without being asked for user/pass. So I suppose it's joined to AD. Next, I've executed commands you have told me and no error has been displayed. Also, I've modified smb.conf and added (when running your commands I was advised to do it): use kerberos keytab = Yes I've modified /etc/ssh/ssh_config with: Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Also modified /etc/ssh/sshd_config with: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Now, when I run ssh -v machine.fqdn, this message is displayed: ... debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug2: we did not send a packet, disable method debug1: Next authentication method: publickey ... And now I don't know what else I can do. I also tried with OpenSuse 11.2 and had the same problem... Thanks. |
Quote:
On the redhat box: Verify that /etc/krb5.keytabs was created correctly. Check the file exists and is not empty. ssh -vvv redhat_box |
The connections I'm trying is from to the same computer and with the same user: From RHEL 5.5 to the itself.
computer1:user1$ ssh -vv computer1.dom.com The krb5.keytab exists and even it's a binary file, I can see with a cat that the computer has been added. I've repeated all the process, rejoining it to AD. The messages are: ... debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address x.x.x.x debug2: we sent a gssapi-with-mic packet, wait for reply debug2: channel 0: window 999357 sent adjust 49219 debug1: Delegating credentials debug1: Delegating credentials debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey ... Please, any suggestion... If you need my exact files configuration, I can put them here. Can any tell me if Kerberos works in Linux if KDC is Windows2000/2003? I only can use it in Ubuntu with LikeWise. Not able with RHEL 4.4/5.5, OpenSuse 11.2. Thanks |
Is selinux set to permissive?
What does /var/log/messages say when you ssh? |
Also Win2003 uses rc4-hmac. Add this to the [libdefaults] section of /etc/krb5.conf.
default_tgs_entypes = rc4-hmac des-cbc-md5 default_tkt_entypes = rc4-hmac des-cbc-md5 permitted_entypes = rc4-hmac des-cbc-md5 |
Hallo:
Yesterday I restarted the computer and finally it worked. But now, I don't know why it works and why id didn't worked before. Now I'm trying with the real computer (the other was for testing purposes) and it doesn't work. I'm copying smb.conf, system-auth, sshd_config, ssh_config from one computer to the other. The configuration of the real computer is a bit more complicated because the FQDN of the computer is: computer1.dom1.com and is joined to AD Win2000 whose domain is: dom2.net. The dom1.com is also a domain from AD W2000. But I don't know if cross domain works fine. It works for authenticating users and samba shares, but don't know if it works fine with kerberos. Now the error I find is: debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug2: we did not send a packet, disable method debug1: Next authentication method: publickey I've found this error before and I don't know why disappeared in the other machine. In the current machine (where the error appears) I've joined it to AD and created the keytab. DNS solves direct and reverse the fqdn from the machine. I can create tickets with kinit user@DOM2.NET This errors is references as a DNS problem. I'm going to check (I'm not a DNS administrator). Possible for DNS reverse.... If I find the problem, I'll come back and write it. Thanks |
Finally it was a DNS problem. My computer has more than one public name and the reverse name was not the same that the name of the computer (it only has 1 ip).
Thanks for your help. |
All times are GMT -5. The time now is 06:12 PM. |