[Samba] Getting no ticket cache from pam_winbind

Assarsson, Emil Emil.Assarsson at sonyericsson.com
Mon Nov 29 08:13:01 MST 2010

Hi all,

I'm trying to get pam_winbind to create ticket cache on login if the AD is available.

Please note that this is an Ubuntu Lucid system.

When trace this with wireshark it receives a TGT ticket for the user.
The current solution is to use pam_krb5 before attempting winbind. That gives me a ticket cache. 
The main problem is that if the user enters the wrong password it does two login attempts with 
the same credentials (or I have to do a messy config in pam).

----- /etc/pam.d/common-auth -----
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    [default=done]          pam_afs_session.so

Best regards

Emil Assarsson
Sony Ericsson Mobile Communications AB

"The information in this email, and attachment(s) thereto, is strictly confidential and may be legally privileged. It is intended solely for the named recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone else is unauthorized. Violations hereof may result in legal actions. Any attachment(s) to this e-mail has been checked for viruses, but please rely on your own virus-checker and procedures. If you contact us by e-mail, we will store your name and address to facilitate communications in the matter concerned. If you do not consent to us storing your name and address for above stated purpose, please notify the sender promptly. Also, if you are not the intended recipient please inform the sender by replying to this transmission, and delete the e-mail, its attachment(s), and any copies of it without, disclosing it."

More information about the samba mailing list