samba4 + kerberos + pam
David Feurle
david.feurle at sodgeit.de
Tue May 14 06:49:28 MDT 2013
Hi Denis,
thanks for your response. As far as I understand the difference between your setup and mine is that you use sama3 as a client whilst I use samba4 as well on the client.
The reason is that I want users to be able to log in in the AD server (which is running samba4) and have their kerberos ticket set up.
When I set the same parameters as you do in /etc/pam.d/common-session no kerberos ticket is created when loging in with the domain user.
I am using Ubuntu 12.04 which should be similar to your debian setup.
Thanks,
David
Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon <denis.cardon at tranquil-it-systems.fr> schrieb:
> Hi David,
>
> > I have a problem with samba4 and PAM Kerberos Authentication.
> >
> > I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
> > Now I want to automatically create a kerberos ticket on login.
> >
> > As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
> >
> > krb5_auth = yes
> > krb5_ccache_type = FILE
> >
> > Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
> >
> > I'm using a self compiled version of samba (4.0.5).
> >
> > Is this a bug in samba4 or am I missing something?
>
> here we are using samba 4.0.5 AD server and pam_winbind auth for linux
> clients and it does create the credential cache file properly. My Linux
> clients are debian squeeze or wheezy based, and I have no experience
> with redhat flavored linux though.
>
> By the way I don't see why the kerberos cache on client would have
> something to do with the kerberos server.
>
> I don't know if there is an equivalent of /etc/security/pam_winbind.conf
> on debian, but I have the same parameters directly in the pam.d files :
>
> $ cat /etc/pam.d/common-session
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session required pam_unix.so
> session optional pam_ck_connector.so nox11
> session required pam_mkhomedir.so silent skel=/etc/skel.empty
> session optional pam_winbind.so krb5_auth
> krb5_ccache_type=FILE
>
> I am sure my credential cache is correctly populated at logon since I
> use it for authentication on apache and file servers.
>
> Cheers,
>
> Denis
>
> >
> > Thanks!
> >
> > David
> >
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
More information about the samba-technical
mailing list