[Samba] kerberos ticket on login problem
Jason Keltz
jas at eecs.yorku.ca
Thu Aug 6 18:35:35 UTC 2020
Rowland or others,
We have upgraded from Samba 4.10 + Winbind to Samba 4.11.11 + winbind.
I am still unable to get krb5_ccache_type of KEYRING working with
pam_winbind, and I don't know how to debug the problem.
In /etc/security/pam_winbind.conf:
krb5_ccache_type = KEYRING
In /etc/krb5.conf
default_ccache_name = KEYRING:persistent:%{uid}
If I'm on the system already and run "kinit jas" it works with KEYRING -
in klist output:
Ticket cache: KEYRING:persistent:1004:1004
...
But if I kdestroy, then login remotely ..
klist: Credentials cache keyring 'persistent:1004:1004' not found
I know that using krb5_ccache_type = FILE in
/etc/security/pam_winbind.conf, and commenting the default_ccache_name
from /etc/krb5.conf, it works perfectly, but it uses a file in /tmp. I
don't want that. However, it's not clear what I can do to debug this
issue on my end. According to the pam_winbind man page, "we suggest to
use KEYRING as those are the most secure and predictable method.
I've asked before, and haven't received any feedback. If you don't have
a suggestion on how I might debug this issue, I guess I'll assume it's a
bug, and submit as such along that route.
Thanks for any help you can provide.
Jason.
On 7/29/2020 11:57 AM, Jason Keltz wrote:
> On 7/28/2020 4:11 PM, Jason Keltz wrote:
>
>>
>> On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
>>> I'm experimenting with smb + winbind.
>>>
>>> My host is joined to AD and I can login to my host fine using my AD
>>> credentials via SSH. The only issue is that I don't get a Kerberos
>>> ticket generated.
>>>
>>> In /etc/security/pam_winbind.conf I have:
>>>
>>> krb5_auth = yes
>>>
>>> krb5_ccache_type = KEYRING
>>>
>>> In /etc/krb5.conf, I also have:
>>>
>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> Using wbinfo -K jas, then entering my password, I see:
>>>
>>> plaintext kerberos password authentication for [jas] succeeded
>>> (requesting cctype: FILE)
>>> credentials were put in: FILE:/tmp/krb5cc_1004
>>>
>>> [It writes the keyring to a file even though I've specified
>>> KEYRING. I don't know if wbinfo automatically writes to FILE or
>>> whether it reads pam_winbind.conf and should be writing to KEYRING).
>>>
>>> If I remove the file, and ssh to the system, I don't get a Kerberos
>>> ticket.
>>>
>>> I know the pam_winbind.conf file is being read on login because the
>>> "require_membership_of" line I'm using works.
>>>
>>> Any thoughts?
>>>
>>> Jason
>>
>> By the way, just to add, /etc/pam.d/password-auth and
>> /etc/pam.d/system-auth both look like this:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth required pam_faildelay.so delay=2000000
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
>> auth sufficient pam_winbind.so cached_login use_first_pass
>> auth required pam_deny.so
>> account required pam_unix.so broken_shadow
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 1000 quiet
>> account [default=bad success=ok user_unknown=ignore]
>> pam_winbind.so cached_login
>> account required pam_permit.so
>> password requisite pam_pwquality.so try_first_pass
>> local_users_only retry=3 authtok_type=
>> password sufficient pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>> password sufficient pam_winbind.so use_authtok
>> password required pam_deny.so
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> -session optional pam_systemd.so
>> session optional pam_oddjob_mkhomedir.so umask=0077
>> session [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session required pam_unix.so
>> session optional pam_winbind.so cached_login
>
>
> I noticed that wbinfo has a --krb5ccname arg so I tried:
>
> % klist
> klist: Credentials cache keyring 'persistent:1004:1004' not found
> % /xsys/pkg/samba/bin/wbinfo --krb5ccname="KEYRING" -K jas
> Enter jas's password:
> plaintext kerberos password authentication for [jas] succeeded
> (requesting cctype: KEYRING)
> brayden 305 % klist
> klist: Credentials cache keyring 'persistent:1004:1004' not found
>
> I also enabled extended debugging and during login:
>
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] ENTER:
>> pam_sm_authenticate (flags: 0x0000)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER)
>> = "jas" (0xb4fd60)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY)
>> = "xrdp-sesman" (0xb4d6a0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_AUTHTOK) = 0xb4fd80
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV)
>> = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): getting password (0x000013d1)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): Verify user 'jas'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): CONFIG file: require_membership_of
>> 'EECSYORKUCA\hc_research'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): CONFIG file: krb5_ccache_type 'KEYRING'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): enabling krb5 login flag
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): enabling cached login flag
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): enabling request for a KEYRING krb5
>> ccache
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): no sid given, looking up:
>> EECSYORKUCA\hc_research
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): request wbcLogonUser succeeded
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): user 'jas' granted access
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): Returned user was 'jas'
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] LEAVE:
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER)
>> = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY)
>> = "xrdp-sesman" (0xb4d6a0)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_AUTHTOK) = 0xb4fd80
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV)
>> = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
>> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] ENTER:
>> pam_sm_setcred (flags: 0x0002)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): PAM_ESTABLISH_CRED not implemented
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] LEAVE:
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] ENTER:
>> pam_sm_open_session (flags: 0x0000)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] LEAVE:
>> pam_sm_open_session returning 0 (PAM_SUCCESS)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_USER) = "jas" (0xb52510)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> ITEM(PAM_CONV) = 0xb47530
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
>> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
>> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
>> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> If I removed default_ccache_name from /etc/krb5.conf and set
> krb5_ccache_type = FILE in pam_winbind.conf, and that worked.
>
> Albeit, I'm running an older version of Samba at this moment (4.10),
> and it's possible KEYRING doesn't work here. I thought it was valid.
> Rowland?
>
> Now, when I login to a system, I get the Kerberos ticket. However, if
> I ssh to another system, the ticket doesn't transfer.
>
> I see something interesting on the last comment on this page:
> https://forums.centos.org/viewtopic.php?t=59441
>
> The last comment: " It was necessary in the computer account
> properties centos on a domain controller to include a tick "Trust this
> computer for delegation to any service."". I wonder if this is the
> solution, but it's not clear what this does or how I do this with
> Samba CLI. I need the Kerberos ticket to transfer with SSH (yes, the
> SSH client and server config allows GSSAPI).
>
> Jason.
>
More information about the samba
mailing list