How to Auth. SSH & SMB to external KDC or AD….?

[InfraredAD]

❓ ❗ 😯

The Big Fight: How to get SSH & SMB to do authorization against an external Kerberos KDC or to Active Directory…. and I have no clue.

I am using Panther Server and I have obtained a krb5.keytab file from my university’s IT Security office with many entries in it. This way I can use the Kerberos KDC that is already in place for the whole university instead of relying on an internal KDC where I would have to store passwords, take care of authentication, etc.

I knew what services to request a keytab for by looking at the keytab file that ships with 10.3 Server. From that I requested a keytab for:

host/<PantherServerHostName>@<UNIVERSITY’SKERBREALM>
afpserver/<PantherServerHostName>@<UNIVERSITY’SKERBREALM>
ftp/<PantherServerHostName>@<UNIVERSITY’SKERBREALM>
imap/<PantherServerHostName>@<UNIVERSITY’SKERBREALM>

Now, the oo-neat thing is that I’m able to use the external KDC for afp, so when I log in on a client configured for LDAP that’s pointed to the Panther Server the keytab on the Panther Server acts as a middle-man for afp, allowing my home directory to properly mount and I’m able to use the Mac with my networked home directory. This only works with having the loginwindow.app configured to use kerberos, which is a snap. I’ve also got FTP to work against my university’s external KDC. Now on to the problem…..

The two services I have left to tackle before I migrate our 10.2 server to Panther Server are SSH and SMB. I know, just by severely abusing Google’s ability to return any and all info on SMB, AD, and Kerberos, that getting SMB to work against Kerberos or AD is like trying to make an elephant fly.

SSH is [i:4d01a18abb]supposed[/i:4d01a18abb] to be kerberized. But how do I get it to use the external KDC? I’ve looked in ssh_config and sshd_config but I seem to be missing something. Do I need to specify the correct principal in some other config file? I have the thought that the SSH that ships with Panther Server may need to be reinstalled via OpenSSH.org or something with a –with-kerberos5 or something… I’m not sure.

So, the long and short of this long message is: how do I get the SSH that ships with Panther Server to do authorization against an external KDC. Also, how do I get SMB (or smbd) to do the same or if not possible, against our large AD setup?

Any and all help is greatly appreciated. I’m at a loss and I’ve spent the better part of 4, 5 hours, again, trying to get these two remaining services to authorize against something OTHER than the built-in KDC of Panther Server.

Thanks for reading, and putting up with a long long message….

[Author]

Posts