[Samba] Samba4: winbind does not grant kerberos authentication
steve
steve at steve-ss.com
Sun Aug 12 01:22:49 MDT 2012
Hi
I have winbind setup and authentication is OK. auth_check_password_send:
Checking password for
samba4 log:
unmapped user [ALTEA]\[lynn2]@[HH30]
auth_check_password_send: mapped user is: [ALTEA]\[lynn2]@[HH30]
Linux log:
Aug 12 09:05:00 hh30 su: pam_winbind(su:auth): getting password (0x00000000)
Aug 12 09:05:01 hh30 su: pam_winbind(su:auth): user 'ALTEA\lynn2' granted
access
Aug 12 09:05:01 hh30 su: pam_winbind(su:account): user 'ALTEA\lynn2' granted
access
Aug 12 09:05:01 hh30 su: (to ALTEA\lynn2) steve on /dev/pts/2
However, the user cannot access his kerberized nfs home directory because he
does not have a ticket. He has to do a kinit before he can access the nfs
share.
Here are the pam settings:
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix2.so use_first_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account requisite pam_unix2.so
account required pam_krb5.so use_first_pass
ignore_unknown_principals
account required pam_localuser.so
session required pam_winbind.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so
session optional pam_umask.so
session optional pam_systemd.so
in /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
I've tried putting the pam_krb5.so entry before the winbind entry but then
we cannot authenticate because ALTEAlynn2 (not lynn2 nor ALTEA\lynn2) is
passed to Kerberos and of course ALTEAlynn2 is not found in the database.
How do I get winbind authentication and Kerberos authentication at the same
time?
Cheers,
Steve
More information about the samba
mailing list