[Samba] kerberos ticket on login problem

Jason Keltz jas at eecs.yorku.ca
Thu Aug 6 18:35:35 UTC 2020


Rowland or others,

We have upgraded from Samba 4.10 + Winbind to Samba 4.11.11 + winbind.

I am still unable to get krb5_ccache_type of KEYRING working with 
pam_winbind, and I don't know how to debug the problem.

In /etc/security/pam_winbind.conf:

krb5_ccache_type = KEYRING

In /etc/krb5.conf

default_ccache_name = KEYRING:persistent:%{uid}

If I'm on the system already and run "kinit jas" it works with KEYRING - 
in klist output:

Ticket cache: KEYRING:persistent:1004:1004

...

But if I  kdestroy, then login remotely ..

klist: Credentials cache keyring 'persistent:1004:1004' not found

I know that using krb5_ccache_type = FILE in 
/etc/security/pam_winbind.conf, and commenting the default_ccache_name 
from /etc/krb5.conf, it works perfectly, but it uses a file in /tmp.  I 
don't want that.  However, it's not clear what I can do to debug this 
issue on my end.  According to the pam_winbind man page, "we suggest to 
use KEYRING as those are the most secure and predictable method.

I've asked before, and haven't received any feedback.  If you don't have 
a suggestion on how I might debug this issue, I guess I'll assume it's a 
bug, and submit as such along that route.

Thanks for any help you can provide.

Jason.

On 7/29/2020 11:57 AM, Jason Keltz wrote:
> On 7/28/2020 4:11 PM, Jason Keltz wrote:
>
>>
>> On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
>>> I'm experimenting with smb + winbind.
>>>
>>> My host is joined to AD and I can login to my host fine using my AD 
>>> credentials via SSH.   The only issue is that I don't get a Kerberos 
>>> ticket generated.
>>>
>>> In /etc/security/pam_winbind.conf I have:
>>>
>>> krb5_auth = yes
>>>
>>> krb5_ccache_type = KEYRING
>>>
>>> In /etc/krb5.conf, I also have:
>>>
>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> Using wbinfo -K jas, then entering my password,  I see:
>>>
>>> plaintext kerberos password authentication for [jas] succeeded 
>>> (requesting cctype: FILE)
>>> credentials were put in: FILE:/tmp/krb5cc_1004
>>>
>>> [It writes the keyring to a file even though I've specified 
>>> KEYRING.  I don't know if wbinfo automatically writes to FILE or 
>>> whether it reads pam_winbind.conf and should be writing to KEYRING).
>>>
>>> If I remove the file, and ssh to the system, I don't get a Kerberos 
>>> ticket.
>>>
>>> I know the pam_winbind.conf file is being read on login because the 
>>> "require_membership_of" line I'm using works.
>>>
>>> Any thoughts?
>>>
>>> Jason
>>
>> By the way, just to add,  /etc/pam.d/password-auth and 
>> /etc/pam.d/system-auth both look like this:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        required      pam_faildelay.so delay=2000000
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
>> auth        sufficient    pam_winbind.so cached_login use_first_pass
>> auth        required      pam_deny.so
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 1000 quiet
>> account     [default=bad success=ok user_unknown=ignore] 
>> pam_winbind.so cached_login
>> account     required      pam_permit.so
>> password    requisite     pam_pwquality.so try_first_pass 
>> local_users_only retry=3 authtok_type=
>> password    sufficient    pam_unix.so sha512 shadow nullok 
>> try_first_pass use_authtok
>> password    sufficient    pam_winbind.so use_authtok
>> password    required      pam_deny.so
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> -session     optional      pam_systemd.so
>> session     optional      pam_oddjob_mkhomedir.so umask=0077
>> session     [success=1 default=ignore] pam_succeed_if.so service in 
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_winbind.so cached_login
>
>
> I noticed that wbinfo has a --krb5ccname arg so I tried:
>
> % klist
> klist: Credentials cache keyring 'persistent:1004:1004' not found
> % /xsys/pkg/samba/bin/wbinfo --krb5ccname="KEYRING" -K jas
> Enter jas's password:
> plaintext kerberos password authentication for [jas] succeeded 
> (requesting cctype: KEYRING)
> brayden 305 % klist
> klist: Credentials cache keyring 'persistent:1004:1004' not found
>
> I also enabled extended debugging and during login:
>
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] ENTER: 
>> pam_sm_authenticate (flags: 0x0000)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER) 
>> = "jas" (0xb4fd60)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) 
>> = "xrdp-sesman" (0xb4d6a0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_AUTHTOK) = 0xb4fd80
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV) 
>> = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): getting password (0x000013d1)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): Verify user 'jas'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): CONFIG file: require_membership_of 
>> 'EECSYORKUCA\hc_research'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): CONFIG file: krb5_ccache_type 'KEYRING'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): enabling krb5 login flag
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): enabling cached login flag
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): enabling request for a KEYRING krb5 
>> ccache
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): no sid given, looking up: 
>> EECSYORKUCA\hc_research
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): request wbcLogonUser succeeded
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): user 'jas' granted access
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): Returned user was 'jas'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] LEAVE: 
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER) 
>> = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) 
>> = "xrdp-sesman" (0xb4d6a0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_AUTHTOK) = 0xb4fd80
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV) 
>> = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] ENTER: 
>> pam_sm_setcred (flags: 0x0002)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): PAM_ESTABLISH_CRED not implemented
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] LEAVE: 
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] ENTER: 
>> pam_sm_open_session (flags: 0x0000)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] LEAVE: 
>> pam_sm_open_session returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> If I removed default_ccache_name from /etc/krb5.conf and set 
> krb5_ccache_type = FILE in pam_winbind.conf, and that worked.
>
> Albeit, I'm running an older version of Samba at this moment (4.10), 
> and it's possible KEYRING doesn't work here.  I thought it was valid. 
> Rowland?
>
> Now, when I login to a system, I get the Kerberos ticket. However, if 
> I ssh to another system, the ticket doesn't transfer.
>
> I see something interesting on the last comment on this  page: 
> https://forums.centos.org/viewtopic.php?t=59441
>
> The last comment: " It was necessary in the computer account 
> properties centos on a domain controller to include a tick "Trust this 
> computer for delegation to any service."".  I wonder if this is the 
> solution, but it's not clear what this does or how I do this with 
> Samba CLI. I need the Kerberos ticket to transfer with SSH (yes, the 
> SSH client and server config allows GSSAPI).
>
> Jason.
>



More information about the samba mailing list