Hai, You log are right. You are mssing this setting in smb.conf dedicated keytab file = /etc/krb5.keytab by default the keytab goes to /var/lib/samba/private/krb5.keytab but ssh uses /etc/krb5.keytab. realm = ad.proikt.com change that to : realm = AD.PROIKT.COM add : dedicated keytab file = /etc/krb5.keytab run : pam-auth-update restart winbind now enable these in sshd_config # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes
restart ssh, now try again. If this does not work, export the keytab for you server again. https://wiki.samba.org/index.php/Generating_Keytabs This works fine as of samba 4.1.17 Debian jessie up to 4.5.8 Debian packages ( and my own package 4.5.10/4.6.5 ) if you want a good base for you setup. Go here , skip untill you see: Setup Jessie. ( that should work also on stretch ) https://lists.samba.org/archive/samba/2017-March/207452.html Review you setup based on whats there. I use that setup for the following. - file server - print server - proxy server - webserver. The main difference between file/print and proxy/web. The file and print have shares, my proxy/web servers not but all use sso kerberos auth with user dirs on NFSv4. ! If you use SSH with kerberos and SSO, dont forget to give you users a uid/gid. IMHO, bug report is not a bug but configuration error. Greetz, Louis
