samba4 + kerberos + pam

David Feurle david.feurle at sodgeit.de
Tue May 14 06:49:28 MDT 2013 

Hi Denis,

thanks for your response. As far as I understand the difference between your setup and mine is that you use sama3 as a client whilst I use samba4 as well on the client.
The reason is that I want users to be able to log in in the AD server (which is running samba4) and have their kerberos ticket set up.

When I set the same parameters as you do in /etc/pam.d/common-session no kerberos ticket is created when loging in with the domain user.
I am using Ubuntu 12.04 which should be similar to your debian setup.

Thanks,

David

 
Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon <denis.cardon at tranquil-it-systems.fr> schrieb: 
 
> Hi David,
> 
> > I have a problem with samba4 and PAM Kerberos Authentication.
> >
> > I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
> > Now I want to automatically create a kerberos ticket on login.
> >
> > As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
> >
> > krb5_auth = yes
> > krb5_ccache_type = FILE
> >
> > Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
> >
> > I'm using a self compiled version of samba (4.0.5).
> >
> > Is this a bug in samba4 or am I missing something?
> 
> here we are using samba 4.0.5 AD server and pam_winbind auth for linux 
> clients and it does create the credential cache file properly. My Linux 
> clients are debian squeeze or wheezy based, and I have no experience 
> with redhat flavored linux though.
> 
> By the way I don't see why the kerberos cache on client would have 
> something to do with the kerberos server.
> 
> I don't know if there is an equivalent of /etc/security/pam_winbind.conf 
> on debian, but I have the same parameters directly in the pam.d files :
> 
> $ cat /etc/pam.d/common-session
> session	 [default=1]			pam_permit.so
> session	 requisite			pam_deny.so
> session	 required			pam_permit.so
> session	 required	                pam_unix.so
> session	 optional			pam_ck_connector.so nox11
> session	 required			pam_mkhomedir.so silent skel=/etc/skel.empty
> session  optional                       pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE
> 
> I am sure my credential cache is correctly populated at logon since I 
> use it for authentication on apache and file servers.
> 
> Cheers,
> 
> Denis
> 
> >
> > Thanks!
> >
> > David
> >
> 
> 
> -- 
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>

More information about the samba-technical mailing list