[Samba] Winbind fails to refresh Kerberos tickets (3.0.25b - Fedora Core 5) - 2nd Try

Rick King RKing at JaneStCapital.com
Tue Aug 14 14:15:37 GMT 2007


This is the second attempt at sending this. Apologies for any duplicates.

I've got Winbind up and running to authenticate our users against our AD 
and to save kerberos tickets. I have used the "winbind refresh tickets = 
yes" setting expecting this to renew these kerberos tickets before they 
expire. This does not appear to work. Gnome will pop up a dialog box 
saying that the credentials have expired. At winbind log level 10 I 
can't see anything that suggests the refresh is happening.

I'm running a vanilla samba 3.0.25b on 64bit Fedora Core 5. This was 
locally built into an RPM using the Fedora spec file for 2.0.24 (after 
removing all patches and adding the extra files that 3.0.25b has)

Is there some setting I'm missing or is it something more complex? I'd 
very much appreciate any help I can get in getting this working.

Many Thanks,

Rick King

Config/Log Files:

smb.conf:

[global]
       domain master = no
       local master = no
       preferred master = no
       winbind cache time = 300
       template shell = /bin/bash
       template homedir = /home/%U
       idmap domains = ALLDOMAINS
       idmap config ALLDOMAINS:backend      = ad
       idmap config ALLDOMAINS:default      = yes
       idmap config ALLDOMAINS:range        = 500 - 300000000
       idmap config ALLDOMAINS:schema_mode  = rfc2307
       idmap alloc backend = tdb
       idmap alloc config:range       = 300000001 - 300005000
       winbind nss info = rfc2307 template
       winbind enum users = yes
       winbind enum groups = yes
       workgroup = XXXXXXX
       realm = XXXXXXX
       security = ads
       password server = *
       winbind refresh tickets = yes
       use kerberos keytab = yes
       client lanman auth = no
       client ntlmv2 auth = yes

/etc/pam.d/system-auth:
#%PAM-1.0

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_winbind.so use_first_pass krb5_auth 
krb5_ccache_type=FILE debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     sufficient    pam_winbind.so krb5_auth krb5_ccache_type=FILE 
debug
session     required      pam_unix.so

/var/log/secure: [The ticket expired during the night between these log 
events]

ug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] ENTER: 
pam_sm_authenticate (flags: 0x0000)
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5 
ccache
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME: 
FILE:/tmp/krb5cc_10001
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): Returned user was 'rking'
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] LEAVE: 
pam_sm_authenticate returning 0
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:account): user 'rking' OK
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:account): user 'rking' granted access
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] ENTER: 
pam_sm_setcred (flags: 0x0008)
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not 
implemented
Aug  9 16:39:44 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] LEAVE: 
pam_sm_setcred returning 0
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_unix(gnome-screensaver:auth): authentication failure; logname= 
uid=10001 euid=10001 tty=:0.0 ruser= rhost=  user=rking
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b270] ENTER: 
pam_sm_authenticate (flags: 0x0000)
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5 
ccache
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME: 
FILE:/tmp/krb5cc_10001
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): Returned user was 'rking'
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b270] LEAVE: 
pam_sm_authenticate returning 0
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:account): user 'rking' OK
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:account): user 'rking' granted access
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b270] ENTER: 
pam_sm_setcred (flags: 0x0008)
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not 
implemented
Aug  9 19:21:37 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b270] LEAVE: 
pam_sm_setcred returning 0
Aug 10 04:02:04 pc15 su: pam_winbind(su:session): [pamh: 0x5565c430] 
ENTER: pam_sm_open_session (flags: 0x0000)
Aug 10 04:02:04 pc15 su: pam_winbind(su:session): [pamh: 0x5565c430] 
LEAVE: pam_sm_open_session returning 0
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_unix(gnome-screensaver:auth): authentication failure; logname= 
uid=10001 euid=10001 tty=:0.0 ruser= rhost=  user=rking
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061cd00] ENTER: 
pam_sm_authenticate (flags: 0x0000)
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5 
ccache
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug 10 08:38:05 pc15 gnome-screensaver-dialog: 
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME: 
FILE:/tmp/krb5cc_10001

I also have log.winbindd but it is very long and doesn't seem to have 
anything relevant to kerberos in it. I can provide it if it would help.


More information about the samba mailing list