[Samba] Can pam_winbind be configured to issue Kerberos tickets on user validation?

j T hyvan_trant at hotmail.com
Sat Apr 8 10:18:54 GMT 2006 

Hi

I have Samba 3 running on Fedora 4, configured to use pam_winbind to 
validate user logins against my W2K ADS. Logins are fully functional using 
names such as adsdomain.adsuser (I have the fullstop character configured as 
my winbind seperator).

This is all working fine.

What I would now like to do, is to have a Kerberos ticket from the ADS 
Kerberos realm issued to the user that has just logged in, without the user 
having to re-validate themselves using kinit.

The idea is that the ticket would be available to the Linux user for using 
with smbclient, etc without them having to provide credentials that they 
have already provided at login...

I've tried to use the pam_krb5 module, but as pam modules validate the user 
as given, pam_krb5 is trying to match the password to 
adsdomain.adsuser at ADSDOMAIN.REALM....  so it fails.

Is there any way to make pam_winbind issue a Kerberos ticket to the user 
after they have been successfully validated?

My PAM "login" configuration file (which is the same as my "sshd" file) is 
as follows.

--- Top of: /etc/pam.d/login ---
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass likeauth nullok
auth       required     pam_deny.so
auth       required     pam_nologin.so

account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_selinux.so close
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_timestamp.so
session    optional     pam_console.so
session    required     pam_selinux.so multiple open

--- End of: /etc/pam.d/login ----

Thanks for your help!

Jo

--
jT | mail to: hyvan_trant at hotmail.com
** | website: http://www.chiark.greenend.org.uk/~jsturner/

More information about the samba mailing list