Web lists-archives.com

Re: [Samba] Winbind, Kerberos, SSH and Single Sign On




I can suggest a few things. 

krb5.conf ( if you use nfsv4 with kerberized mounts _
[libdefaults]
ignore_k5login = true  in 

But, it does not look like it in you logs your useing kerberized mounts. 


Im missing in SSHD_config : 
UseDNS yes

And the defaults : 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Are sufficient for a normal ssh kerberized login. 

Optional, depending on the use of your server, and if you SSH supports it. 
( use man sshd_config to look the up ) 
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes

I assume, that, server and client do have A and PTR records AND both servers have nfs/FQDN@REALM in the keytab. 

Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 
That looks to me the UseDNS yes, may solve it if its keytab/resolving related.
If not, then i would try first to change the winbind separator 
winbind separator = + to \ ( and correct krb5.conf also ) 

I cant recall where i did read that, but that may solv it also. 

If these did not fix it, post the following please.
You OS and samba version. 
cat /etc/resolv.conf
cat /etc/hosts
dig -x server_ip 
dig -x client_ip

What i do on debian, is the following. 
Setup samba ( my configs, see my github howtos  (github.com/thctlo/samba4 )
apt-get install ssh-krb5
pam-auth-update

And i can use sso logins.  

So try above, and report back. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Andreas Hauffe via samba
> Verzonden: woensdag 1 november 2017 9:59
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Winbind, Kerberos, SSH and Single Sign On
> 
> Hi,
> 
> at first I'm not sure if this is the correct list to ask this 
> question. 
> But since I'm using winbind I hope you can help me.
> 
> I try to realize a kerberized ssh from one client to another. Both 
> clients are member of subdom2.subdom1.example.de and joined 
> to it. The 
> users are from example.de, where subdom1.example.de is a subdomain 
> (bidirectional trust) of example.de and 
> subdom2.subdom1.example.de is a 
> subdomain (bidirectional trust) of subdom1.example.de.
> 
> When I try to ssh to a client I'm getting the service ticket for the 
> client. But it still prompts the password question.
> 
> On the ssh-client side I'm getting the following SSH debug 
> information:
> 
> ...> KRB5_TRACE=/dev/stdout ssh -vvv computer1
> OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016
> debug1: Reading configuration data /home/user1/.ssh/config
> debug1: /home/user1/.ssh/config line 17: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 25: Applying options for *
> debug2: resolving "computer1" port 22
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to computer1 [141.30.156.36] port 22.
> debug1: Connection established.
> debug1: identity file /home/user1/.ssh/id_rsa type 1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_7.2
> debug1: Remote protocol version 2.0, remote software version 
> OpenSSH_7.2
> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to computer1:22 as 'EXAMPLE+user1'
> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file 
> /home/user1/.ssh/known_hosts:60
> debug3: load_hostkeys: loaded 1 keys from computer1
> debug3: order_hostkeyalgs: prefer hostkeyalgs: 
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-c
> ert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,e
> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: 
> curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nist
> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
> ext-info-c
> debug2: host key algorithms: 
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-c
> ert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,e
> cdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh
> -ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh
> -dss-cert-v01@xxxxxxxxxxx,ssh-ed25519,rsa-sha2-512,rsa-sha2-25
> 6,ssh-rsa,ssh-dss
> debug2: ciphers ctos: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes1
> 92-cbc,aes256-cbc,3des-cbc
> debug2: ciphers stoc: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes1
> 92-cbc,aes256-cbc,3des-cbc
> debug2: MACs ctos: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@xxxxxxxxxxx
> debug2: compression stoc: none,zlib@xxxxxxxxxxx
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: 
> curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nist
> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
> iffie-hellman-group14-sha1
> debug2: host key algorithms: 
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
> ssh-ed25519
> debug2: ciphers ctos: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> debug2: ciphers stoc: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> debug2: MACs ctos: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@xxxxxxxxxxx
> debug2: compression stoc: none,zlib@xxxxxxxxxxx
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: 
> chacha20-poly1305@xxxxxxxxxxx MAC: 
> <implicit> compression: none
> debug1: kex: client->server cipher: 
> chacha20-poly1305@xxxxxxxxxxx MAC: 
> <implicit> compression: none
> debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
> debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256 
> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file 
> /home/user1/.ssh/known_hosts:60
> debug3: load_hostkeys: loaded 1 keys from computer1
> debug3: hostkeys_foreach: reading file "/home/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file 
> /home/user1/.ssh/known_hosts:59
> debug3: load_hostkeys: loaded 1 keys from 141.30.156.36
> debug1: Host 'computer1' is known and matches the ECDSA host key.
> debug1: Found key in /home/user1/.ssh/known_hosts:60
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug2: set_newkeys: mode 0
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS received
> debug2: key: /home/user1/.ssh/id_rsa (0x55c3125896b0), agent
> debug2: key: /home/user1/.ssh/id_dsa ((nil))
> debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
> debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
> debug3: send packet: type 5
> debug3: receive packet: type 7
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: 
> server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> debug3: start over, passed a different list 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> debug3: preferred 
> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: 
> gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 141.30.156.36.
> [6355] 1509525451.837186: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.837196: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.837202: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.837219: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.837375: ccselect can't find appropriate cache for 
> server principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.837411: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.837451: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.837493: Creating authenticator for 
> user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, 
> seqnum 538127167, subkey aes256-cts/9E2E, session key aes256-cts/2C72
> debug3: send packet: type 50
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug3: receive packet: type 60
> debug1: Delegating credentials
> [6355] 1509525451.838235: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.838244: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.838248: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.838269: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.838406: ccselect can't find appropriate cache for 
> server principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.838431: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.838457: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.838506: Retrieving user1@xxxxxxxxxx -> 
> krbtgt/EXAMPLE.DE@xxxxxxxxxx from FILE:/tmp/krb5cc_103321 
> with result: 
> 0/Success
> [6355] 1509525451.838542: Get cred via TGT 
> krbtgt/EXAMPLE.DE@xxxxxxxxxx 
> after requesting krbtgt/EXAMPLE.DE@xxxxxxxxxx (canonicalize off)
> [6355] 1509525451.838552: Generated subkey for TGS request: 
> aes256-cts/6A11
> [6355] 1509525451.838577: etypes requested in TGS request: aes256-cts
> [6355] 1509525451.838619: Encoding request body and padata 
> into FAST request
> [6355] 1509525451.838661: Sending request (2761 bytes) to EXAMPLE.DE
> [6355] 1509525451.839682: Resolving hostname domdc8.example.de.
> [6355] 1509525451.839691: Resolving hostname domdc6.example.de.
> [6355] 1509525451.839694: Resolving hostname domdc7.example.de.
> [6355] 1509525451.839697: Resolving hostname domdc5.example.de.
> [6355] 1509525451.839699: Resolving hostname domdc8.example.de.
> [6355] 1509525451.839711: Initiating TCP connection to stream 
> 172.26.40.8:88
> [6355] 1509525451.840669: Sending TCP request to stream 172.26.40.8:88
> [6355] 1509525451.842021: Received answer (2706 bytes) from stream 
> 172.26.40.8:88
> [6355] 1509525451.842449: Response was not from master KDC
> [6355] 1509525451.842459: Decoding FAST response
> [6355] 1509525451.842515: FAST reply key: aes256-cts/4A19
> [6355] 1509525451.842535: TGS reply is for user1@xxxxxxxxxx -> 
> krbtgt/EXAMPLE.DE@xxxxxxxxxx with session key aes256-cts/4A0D
> [6355] 1509525451.842549: Got cred; 0/Success
> [6355] 1509525451.842596: Creating authenticator for 
> user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, 
> seqnum 334735312, subkey aes256-cts/4AE2, session key aes256-cts/2C72
> debug3: send packet: type 61
> debug3: receive packet: type 61
> debug1: Delegating credentials
> [6355] 1509525451.848142: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.848152: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.848156: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.848166: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.848207: Read AP-REP, time 1509525445.842599, subkey 
> aes256-cts/5EEA, seqnum 91190375
> debug3: send packet: type 66
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> [6355] 1509525451.849839: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.849848: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.849853: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.849864: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.849970: ccselect can't find appropriate cache for 
> server principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.849995: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.850020: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.850048: Creating authenticator for 
> user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, 
> seqnum 814792577, subkey aes256-cts/77C2, session key aes256-cts/2C72
> debug3: send packet: type 50
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> [6355] 1509525451.850462: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.850467: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.850470: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.850476: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.850547: ccselect can't find appropriate cache for 
> server principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.850569: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.850591: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.850611: Creating authenticator for 
> user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, 
> seqnum 1044832357, subkey aes256-cts/7DD3, session key aes256-cts/2C72
> debug3: send packet: type 50
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> [6355] 1509525451.851143: Convert service host (service with host as 
> instance) on host computer1.subdom2.subdom1.example.de to principal
> [6355] 1509525451.851147: Remote host after forward canonicalization: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.851150: Remote host after reverse DNS processing: 
> computer1.subdom2.subdom1.example.de
> [6355] 1509525451.851156: Got service principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.851226: ccselect can't find appropriate cache for 
> server principal 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx
> [6355] 1509525451.851284: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.851306: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.851336: Getting credentials user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> using ccache FILE:/tmp/krb5cc_103321
> [6355] 1509525451.851355: Retrieving user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx 
> from FILE:/tmp/krb5cc_103321 with result: 0/Success
> [6355] 1509525451.851374: Creating authenticator for 
> user1@xxxxxxxxxx -> 
> host/computer1.subdom2.subdom1.example.de@xxxxxxxxxxxxxxxxxxxxxxxxxx, 
> seqnum 933888914, subkey aes256-cts/B654, session key aes256-cts/2C72
> debug3: send packet: type 50
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
> debug3: send_pubkey_test
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue: 
> publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
> debug1: Trying private key: /home/user1/.ssh/id_dsa
> debug3: no such identity: /home/user1/.ssh/id_dsa: No such 
> file or directory
> debug1: Trying private key: /home/user1/.ssh/id_ecdsa
> debug3: no such identity: /home/user1/.ssh/id_ecdsa: No such file or 
> directory
> debug1: Trying private key: /home/user1/.ssh/id_ed25519
> debug3: no such identity: /home/user1/.ssh/id_ed25519: No 
> such file or 
> directory
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug3: send packet: type 50
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug3: receive packet: type 60
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> 
> On the sshd-server side:
> 
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 530
> debug2: parse_server_config: config /etc/ssh/sshd_config len 530
> debug3: /etc/ssh/sshd_config:59 setting AuthorizedKeysFile 
> .ssh/authorized_keys
> debug3: /etc/ssh/sshd_config:77 setting PasswordAuthentication no
> debug3: /etc/ssh/sshd_config:90 setting GSSAPIAuthentication yes
> debug3: /etc/ssh/sshd_config:91 setting GSSAPICleanupCredentials yes
> debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
> debug3: /etc/ssh/sshd_config:109 setting X11Forwarding yes
> debug3: /etc/ssh/sshd_config:118 setting UsePrivilegeSeparation no
> debug3: /etc/ssh/sshd_config:134 setting Subsystem sftp 
> /usr/lib/ssh/sftp-server
> debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LANG LC_CTYPE 
> LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> debug3: /etc/ssh/sshd_config:138 setting AcceptEnv LC_PAPER LC_NAME 
> LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> debug3: /etc/ssh/sshd_config:139 setting AcceptEnv 
> LC_IDENTIFICATION LC_ALL
> debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2j-fips  26 Sep 2016
> debug1: private host key #0: ssh-rsa 
> SHA256:1j6kb5tgv9SOPXFk1t2MYS7AHAoXvNAz8sLdnhS/NsM
> debug1: private host key #1: ssh-dss 
> SHA256:Uhux8JTTAoVerZphmCGBCGVswPSXMZQnUxjnIfN0cPU
> debug1: private host key #2: ecdsa-sha2-nistp256 
> SHA256:7/AZTZcLAybma0tYTXNTStak01rfYk/r17XmQO1djso
> debug1: private host key #3: ssh-ed25519 
> SHA256:gpAG0xdH9KcJZS3/3p7516k+5sC6A5Y02/1K+PhZ2Fc
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-ddd'
> debug1: rexec_argv[2]='-p'
> debug1: rexec_argv[3]='2233'
> debug3: oom_adjust_setup
> debug1: Set /proc/self/oom_score_adj from 0 to -1000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 2233 on 0.0.0.0.
> Server listening on 0.0.0.0 port 2233.
> debug2: fd 4 setting O_NONBLOCK
> debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
> debug1: Bind to port 2233 on ::.
> Server listening on :: port 2233.
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 8 config len 530
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 141.30.156.114 port 45018 on 141.30.156.36 port 2233
> debug1: Client protocol version 2.0; client software version 
> OpenSSH_7.2
> debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_7.2
> debug2: fd 3 setting O_NONBLOCK
> debug1: list_hostkey_types: 
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
> ssh-ed25519
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local server KEXINIT proposal
> debug2: KEX algorithms: 
> curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nist
> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
> iffie-hellman-group14-sha1
> debug2: host key algorithms: 
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,
> ssh-ed25519
> debug2: ciphers ctos: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> debug2: ciphers stoc: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
> debug2: MACs ctos: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@xxxxxxxxxxx
> debug2: compression stoc: none,zlib@xxxxxxxxxxx
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer client KEXINIT proposal
> debug2: KEX algorithms: 
> curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nist
> p384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
> iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
> ext-info-c
> debug2: host key algorithms: 
> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-c
> ert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,s
> sh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,s
> sh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nis
> tp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-25
> 6,ssh-rsa,ssh-dss
> debug2: ciphers ctos: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes1
> 92-cbc,aes256-cbc,3des-cbc
> debug2: ciphers stoc: 
> chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> ,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes1
> 92-cbc,aes256-cbc,3des-cbc
> debug2: MACs ctos: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: 
> umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256
> -etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@o
> penssh.com,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-
> 256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@xxxxxxxxxxx
> debug2: compression stoc: none,zlib@xxxxxxxxxxx
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: client->server cipher: 
> chacha20-poly1305@xxxxxxxxxxx MAC: 
> <implicit> compression: none
> debug1: kex: server->client cipher: 
> chacha20-poly1305@xxxxxxxxxxx MAC: 
> <implicit> compression: none
> debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
> debug1: kex: curve25519-sha256@xxxxxxxxxx need=64 dh_need=64
> debug1: expecting SSH2_MSG_KEX_ECDH_INIT
> debug3: receive packet: type 30
> debug3: send packet: type 31
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: send packet: type 7
> debug3: receive packet: type 21
> debug2: set_newkeys: mode 0
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug3: receive packet: type 5
> debug3: send packet: type 6
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method none
> debug1: attempt 0 failures 0
> debug2: parse_server_config: config reprocess config len 530
> debug2: input_userauth_request: setting up authctxt for EXAMPLE+user1
> debug1: PAM: initializing for "EXAMPLE+user1"
> debug1: PAM: setting PAM_RHOST to "141.30.156.114"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: input_userauth_request: try method none
> Failed none for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method gssapi-with-mic
> debug1: attempt 1 failures 0
> debug2: input_userauth_request: try method gssapi-with-mic
> debug3: send packet: type 60
> Postponed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 port 
> 45018 ssh2
> debug3: receive packet: type 61
> debug1: Received some client credentials
> debug3: send packet: type 61
> debug3: receive packet: type 66
> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 
> port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method gssapi-with-mic
> debug1: attempt 2 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 
> port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method gssapi-with-mic
> debug1: attempt 3 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 
> port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method gssapi-with-mic
> debug1: attempt 4 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for EXAMPLE+user1 from 141.30.156.114 
> port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method publickey
> debug1: attempt 5 failures 1
> debug2: input_userauth_request: try method publickey
> debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for 
> RSA SHA256:PYcpC+MW8MGt1dXFFm9qebnkNkmClIpsaUTBR/Wzym8
> debug1: temporarily_use_uid: 103321/10513 (e=0/0)
> debug1: trying public key file /home/user1/.ssh/authorized_keys
> debug1: Could not open authorized keys 
> '/home/user1/.ssh/authorized_keys': No such file or directory
> debug1: restore_uid: 0/0
> debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512
> Failed publickey for EXAMPLE+user1 from 141.30.156.114 port 45018 ssh2
> debug3: userauth_finish: failure partial=0 next 
> methods="publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive"
> debug3: send packet: type 51
> debug3: receive packet: type 50
> debug1: userauth-request for user EXAMPLE+user1 service 
> ssh-connection 
> method keyboard-interactive
> debug1: attempt 6 failures 2
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug1: auth2_challenge: user=EXAMPLE+user1 devs=
> debug1: kbdint_alloc: devices 'pam'
> debug2: auth2_challenge_start: devices pam
> debug2: kbdint_next_device: devices <empty>
> debug1: auth2_challenge_start: trying authentication method 'pam'
> debug3: PAM: sshpam_init_ctx entering
> debug3: PAM: sshpam_query entering
> debug3: ssh_msg_recv entering
> debug3: PAM: sshpam_thread_conv entering, 1 messages
> debug3: ssh_msg_send: type 1
> debug3: ssh_msg_recv entering
> debug3: send packet: type 60
> Postponed keyboard-interactive for EXAMPLE+user1 from 141.30.156.114 
> port 45018 ssh2
> 
> 
> smb.conf:
> 
> [global]
> 
>      netbios name = computer1
>      security = ADS
>      workgroup = SUBDOM2
>      realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> 
>      template homedir = /home/%U
>      template shell = /bin/bash
> 
>      winbind separator = +
> 
>      idmap config * : backend = tdb
>      idmap config * : range = 2000-2999
>      idmap config SUBDOM2 : backend = rid
>      idmap config SUBDOM2 : range = 3000-9999 # UID aus RID fuer ILRW
>      idmap config EXAMPLE : backend = rid
>      idmap config EXAMPLE : range = 10000-9999999 # UID aus 
> RID fuer DOM
> 
> 
> krb5.conf:
> 
> [libdefaults]
>          default_realm = SUBDOM2.SUBDOM1.EXAMPLE.DE
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          ticket_lifetime = 24h
>          renew_lifetime = 7d
>          forwardable = true
> 
> [realms]
>      EXAMPLE.DE = {
>          auth_to_local = RULE:[1:EXAMPLE+$1]
>      }
>      SUBDOM1.EXAMPLE.DE = {
>          auth_to_local = RULE:[1:SUBDOM1+$1]
>      }
>      SUBDOM2.SUBDOM1.EXAMPLE.DE = {
>          auth_to_local = RULE:[1:SUBDOM2+$1]
>      }
> 
> [domain_realm]
>      .subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
>      subdom2.subdom1.example.de = SUBDOM2.SUBDOM1.EXAMPLE.DE
>      .subdom1.example.de = SUBDOM1.EXAMPLE.DE
>      subdom1.example.de = SUBDOM1.EXAMPLE.DE
>      .example.de = EXAMPLE.DE
>      example.de = EXAMPLE.DE
> 
> [capaths]
>      SUBDOM2.SUBDOM1.EXAMPLE.DE = {
>          SUBDOM1.EXAMPLE.DE = .
>          EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
>      }
>      SUBDOM1.EXAMPLE.DE = {
>          SUBDOM2.SUBDOM1.EXAMPLE.DE = .
>          EXAMPLE.DE = .
>      }
>      EXAMPLE.DE = {
>          SUBDOM1.EXAMPLE.DE = .
>          SUBDOM2.SUBDOM1.EXAMPLE.DE = SUBDOM1.EXAMPLE.DE
>      }
> 
> [logging]
>      kdc = FILE:/var/log/krb5/krb5kdc.log
>      admin_server = FILE:/var/log/krb5/kadmind.log
>      default = SYSLOG:DEBUG:DAEMON
> 
> sshd_config:
> 
> AuthorizedKeysFile      .ssh/authorized_keys
> PasswordAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM yes
> X11Forwarding yes
> Subsystem       sftp    /usr/lib/ssh/sftp-server
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY 
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
> 
> -- 
> Regards,
> Andreas
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba