Web lists-archives.com

[Samba] Winbind, Kerberos, SSH and Single Sign On




Hi,

at first I'm not sure if this is the correct list to ask this question. But since I'm using winbind I hope you can help me.

I try to realize a kerberized ssh from one client to another. Both clients are member of subdom2.subdom1.example.de and joined to it. The users are from example.de, where subdom1.example.de is a subdomain (bidirectional trust) of example.de and subdom2.subdom1.example.de is a subdomain (bidirectional trust) of subdom1.example.de.

When I try to ssh to a client I'm getting the service ticket for the client. But it still prompts the password question.

On the ssh-client side I'm getting the following SSH debug information:

...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016
debug1: Reading configuration data /home/user1/.ssh/config
debug1: /home/user1/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug2: resolving "computer1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to computer1 [141.30.156.36] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to computer1:22 as 'EXAMPLE+user1'
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@xxxxxxxxxxx
debug2: compression stoc: none,zlib@xxxxxxxxxxx
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@xxxxxxxxxxx
debug2: compression stoc: none,zlib@xxxxxxxxxxx
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/user1/.ssh/known_hosts:60
debug3: load_hostkeys: loaded 1 keys from computer1
debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/user1/.ssh/known_hosts:59
debug3: load_hostkeys: loaded 1 keys from 141.30.156.36
debug1: Host 'computer1' is known and matches the ECDSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:60
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent
debug2: key: /home/user1/.ssh/id_dsa ((nil))
debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 141.30.156.36.
[6355] 1509525451.837186: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.837196: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.837202: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.837219: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.837375: ccselect can't find appropriate cache for server principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.837411: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.837451: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.837493: Creating authenticator for user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 60
debug1: Delegating credentials
[6355] 1509525451.838235: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.838244: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.838248: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.838269: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.838406: ccselect can't find appropriate cache for server principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.838431: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.838457: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.838506: Retrieving user1@xxxxxxxxxx -> krbtgt/EXAMPLE.DE@xxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.838542: Get cred via TGT krbtgt/EXAMPLE.DE@xxxxxxxxxx after requesting krbtgt/EXAMPLE.DE@xxxxxxxxxx (canonicalize off)
[6355] 1509525451.838552: Generated subkey for TGS request: aes256-cts/6A11
[6355] 1509525451.838577: etypes requested in TGS request: aes256-cts
[6355] 1509525451.838619: Encoding request body and padata into FAST request
[6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE
[6355] 1509525451.839682: Resolving hostname domdc8.example.de.
[6355] 1509525451.839691: Resolving hostname domdc6.example.de.
[6355] 1509525451.839694: Resolving hostname domdc7.example.de.
[6355] 1509525451.839697: Resolving hostname domdc5.example.de.
[6355] 1509525451.839699: Resolving hostname domdc8.example.de.
[6355] 1509525451.839711: Initiating TCP connection to stream 172.26.40.8:88
[6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88
[6355] 1509525451.842021: Received answer (2706 bytes) from stream 172.26.40.8:88
[6355] 1509525451.842449: Response was not from master KDC
[6355] 1509525451.842459: Decoding FAST response
[6355] 1509525451.842515: FAST reply key: aes256-cts/4A19
[6355] 1509525451.842535: TGS reply is for user1@xxxxxxxxxx -> krbtgt/EXAMPLE.DE@xxxxxxxxxx with session key aes256-cts/4A0D
[6355] 1509525451.842549: Got cred; 0/Success
[6355] 1509525451.842596: Creating authenticator for user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72
debug3: send packet: type 61
debug3: receive packet: type 61
debug1: Delegating credentials
[6355] 1509525451.848142: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.848152: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.848156: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.848166: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey aes256-cts/5EEA, seqnum 91190375
debug3: send packet: type 66
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive [6355] 1509525451.849839: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.849848: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.849853: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.849864: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.849970: ccselect can't find appropriate cache for server principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.849995: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.850020: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.850048: Creating authenticator for user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive [6355] 1509525451.850462: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.850467: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.850470: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.850476: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.850547: ccselect can't find appropriate cache for server principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.850569: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.850591: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.850611: Creating authenticator for user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive [6355] 1509525451.851143: Convert service host (service with host as instance) on host computer1.subdom2.subdom1.example.de to principal [6355] 1509525451.851147: Remote host after forward canonicalization: computer1.subdom2.subdom1.example.de [6355] 1509525451.851150: Remote host after reverse DNS processing: computer1.subdom2.subdom1.example.de [6355] 1509525451.851156: Got service principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.851226: ccselect can't find appropriate cache for server principal host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx [6355] 1509525451.851284: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.851306: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.851336: Getting credentials user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx using ccache FILE:/tmp/krb5cc_103321 [6355] 1509525451.851355: Retrieving user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx from FILE:/tmp/krb5cc_103321 with result: 0/Success [6355] 1509525451.851374: Creating authenticator for user1@xxxxxxxxxx -> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug3: no such identity: /home/user1/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug3: no such identity: /home/user1/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

On the sshd-server side:

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 530
debug2: parse_server_config: config /etc/ssh/sshd_config len 530
debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no
debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp /usr/lib/ssh/sftp-server debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:139 setting AcceptEnv LC_IDENTIFICATION LC_ALL
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips  26 Sep 2016
debug1: private host key #0: ssh-rsa SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM debug1: private host key #1: ssh-dss SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso debug1: private host key #3: ssh-ed25519 SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2233'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2233 on 0.0.0.0.
Server listening on 0.0.0.0 port 2233.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 2233 on ::.
Server listening on :: port 2233.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 530
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233
debug1: Client protocol version 2.0; client software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@xxxxxxxxxxx
debug2: compression stoc: none,zlib@xxxxxxxxxxx
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@xxxxxxxxxxx
debug2: compression stoc: none,zlib@xxxxxxxxxxx
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug3: receive packet: type 30
debug3: send packet: type 31
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: send packet: type 7
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: receive packet: type 5
debug3: send packet: type 6
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 530
debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1
debug1: PAM: initializing for "EXAMPLE+user1"
debug1: PAM: setting PAM_RHOST to "141.30.156.114"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: send packet: type 60
Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: receive packet: type 61
debug1: Received some client credentials
debug3: send packet: type 61
debug3: receive packet: type 66
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method gssapi-with-mic
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method gssapi-with-mic
debug1: attempt 4 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method publickey
debug1: attempt 5 failures 1
debug2: input_userauth_request: try method publickey
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8
debug1: temporarily_use_uid: 103321/10513 (e=0/0)
debug1: trying public key file /home/user1/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/user1/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512
Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user EXAMPLE+user1 service ssh-connection method keyboard-interactive
debug1: attempt 6 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=EXAMPLE+user1 devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: send packet: type 60
Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2


smb.conf:

[global]

    netbios name = computer1
    security = ADS
    workgroup = SUBDOM2
    realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    template homedir = /home/%U
    template shell = /bin/bash

    winbind separator = +

    idmap config * : backend = tdb
    idmap config * : range = 2000-2999
    idmap config SUBDOM2 : backend = rid
    idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range = 10000-9999999 # UID aus RID fuer DOM


krb5.conf:

[libdefaults]
        default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

[realms]
    EXAMPLE.DE = {
        auth_to_local = RULE:[1:EXAMPLE+$1]
    }
    SUBDOM1.EXAMPLE.DE = {
        auth_to_local = RULE:[1:SUBDOM1+$1]
    }
    SUBDOM2.SUBDOM1.EXAMPLE.DE = {
        auth_to_local = RULE:[1:SUBDOM2+$1]
    }

[domain_realm]
    .subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
    subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
    .subdom1.example.de = SUBDOM1.EXAMPLE.DE
    subdom1.example.de = SUBDOM1.EXAMPLE.DE
    .example.de = EXAMPLE.DE
    example.de = EXAMPLE.DE

[capaths]
    SUBDOM2.SUBDOM1.EXAMPLE.DE = {
        SUBDOM1.EXAMPLE.DE = .
        EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
    }
    SUBDOM1.EXAMPLE.DE = {
        SUBDOM2.SUBDOM1.EXAMPLE.DE = .
        EXAMPLE.DE = .
    }
    EXAMPLE.DE = {
        SUBDOM1.EXAMPLE.DE = .
        SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
    }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:DEBUG:DAEMON

sshd_config:

AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem       sftp    /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

--
Regards,
Andreas


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba