[Samba] Can pam_winbind be configured to issue Kerberos tickets on
hyvan_trant at hotmail.com
Sat Apr 8 10:18:54 GMT 2006
I have Samba 3 running on Fedora 4, configured to use pam_winbind to
validate user logins against my W2K ADS. Logins are fully functional using
names such as adsdomain.adsuser (I have the fullstop character configured as
my winbind seperator).
This is all working fine.
What I would now like to do, is to have a Kerberos ticket from the ADS
Kerberos realm issued to the user that has just logged in, without the user
having to re-validate themselves using kinit.
The idea is that the ticket would be available to the Linux user for using
with smbclient, etc without them having to provide credentials that they
have already provided at login...
I've tried to use the pam_krb5 module, but as pam modules validate the user
as given, pam_krb5 is trying to match the password to
adsdomain.adsuser at ADSDOMAIN.REALM.... so it fails.
Is there any way to make pam_winbind issue a Kerberos ticket to the user
after they have been successfully validated?
My PAM "login" configuration file (which is the same as my "sshd" file) is
--- Top of: /etc/pam.d/login ---
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass likeauth nullok
auth required pam_deny.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so close
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_timestamp.so
session optional pam_console.so
session required pam_selinux.so multiple open
--- End of: /etc/pam.d/login ----
Thanks for your help!
jT | mail to: hyvan_trant at hotmail.com
** | website: http://www.chiark.greenend.org.uk/~jsturner/
More information about the samba