[Samba] Getting no ticket cache from pam_winbind [solved]

Mon Dec 6 07:30:16 MST 2010

Hi, 

I finally found out why I didn't get any Kerberos tickets!
Something in /var/lib/samba was broken and when I cleared that directory it worked.

----
/etc/init.d/winbind stop
/etc/init.d/smbd stop
/etc/init.d/nmbd stop

rm -rf /var/lib/samba

/etc/init.d/nmbd start
/etc/init.d/smbd start
/etc/init.d/winbind start

net ads join -U adminuser
----

(I actually purged the winbind package but I don't see the reason why that should be needed) 

BR
Emil Assarsson

-----Original Message-----
From: Assarsson, Emil 
Sent: onsdag den 1 december 2010 18:51
To: 'samba at lists.samba.org'
Subject: RE: Getting no ticket cache from pam_winbind

Hi again,

According to the man files it should work but I don't even getting close to solving this issue :-/
I have maxed out logging but nothing seems to have anything to do with this.
I have tried to run "strace su - username" and on winbindd process and I can't see anything that even tries to write a krb5cc.

What part of the system should create to cc files?
Can anyone please give me a hint how I can trace this problem?

BR
Emil Assarsson

-----Original Message-----
From: Assarsson, Emil 
Sent: måndag den 29 november 2010 16:13
To: samba at lists.samba.org
Subject: Getting no ticket cache from pam_winbind

Hi all,

I'm trying to get pam_winbind to create ticket cache on login if the AD is available.

Please note that this is an Ubuntu Lucid system.

When trace this with wireshark it receives a TGT ticket for the user.
The current solution is to use pam_krb5 before attempting winbind. That gives me a ticket cache. 
The main problem is that if the user enters the wrong password it does two login attempts with 
the same credentials (or I have to do a messy config in pam).

----- /etc/pam.d/common-auth -----
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    [default=done]          pam_afs_session.so
------

Best regards

Emil Assarsson
Sony Ericsson Mobile Communications AB

"The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail has been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it."