OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Mon Nov 28 17:48:51 EST 2005

On Sun, Nov 27, 2005 at 05:53:12PM +0100, Matthias Gerstner wrote:
> I'm working on the infrastructure of a medium size client/server
> environment using an Active Directory running on Windows Server 2003 for
> central authentication of users on linux clients.
> Additionally OpenAFS is running using Kerberos authentication through
> Active Directory as well.
> 
> Now I want to grant users remote access to their AFS data by logging in
> into a central OpenSSH server running on linux.
> 
> As authentication at the Active Directory works well when logging in
> locally on the linux clients using PAM I wanted to use PAM also for the
> SSH access.
> 
> Unfortunately I've run into problems trying to get the OpenSSH setup
> running. I have tried OpenSSH PAM support and OpenSSH's internal
> kerberos support. But both result in errors.

One thing worth trying: make sure you're using sshd's
PasswordAuthentication and not ChallengeResponseAuthentication.

You can test this with "ssh -o PreferredAuthentications=password
yoursever", and if it works you can set PasswordAuthentication=yes
and ChallengeResponseAuthentication=no in sshd_config to
require it from your clients.  For the gory details see
http://bugzilla.mindrot.org/show_bug.cgi?id=688

> When using PAM authentication (using the same PAM stack we're using for
> local authentication on the clients that works with pam_krb5.so) I can
> successfully login on the OpenSSH server but don't get the Kerberos5
> ticket written to /tmp/krb5cc_[...]. The following error is written to
> the logs:
> 
> --
> -bash: GSSAPI Error: Miscellaneous failure (No Credentials cache found)

I don't know why bash would care about GSSAPI.

> Also the variable KRB5CCNAME isn't defined. I've investigated about this
> problem already on the net and tried different setups and approaches but
> to no avail. I need the kerberos5 ticket for use of OpenAFS.
> 
> When trying internal Kerberos support of OpenSSH I can't login at all
> while getting the following error messages in the log:

I can't comment much on the GSSAPI errors, except..

[...]
> When I comment out this [krb5_kuserok] then I can login using OpenSSH's
> internal kerberos support and even get my kerberos5 ticket and KRB5CCNAME.
> I'm not that involved into kerberos on the coding side. What does the
> krb5_kuserok method do exactly? Why could it fail? Is it critical to
> comment it out?

The man page for krb5_kuserok says, in part:
     This function takes a local user name and verifies if principal is
     allowed to log in as that user.

     First krb5_kuserok check if there is a local account name username.  If
     there isn't, krb5_kuserok returns FALSE.

     Then krb5_kuserok checks if principal is the same as user at realm in any of
     the default realms. If that is the case, krb5_kuserok returns TRUE.

> Oh, and here is some more data about my OpenSSH server system:
> It's running on Gentoo Linux using
> - OpenSSH 4.2_p1 with kerberos, ldap and pam support enabled

The main OpenSSH distribution does not have LDAP support.  Is this modified?
Have you enabled LDAP support in /etc/nsswitch.conf?

> Thanks in advance for your support,

You're welcome.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.