[Samba] kerberos ticket on login problem

Jason Keltz jas at eecs.yorku.ca
Tue Jul 28 20:11:39 UTC 2020

On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
> I'm experimenting with smb + winbind.
> My host is joined to AD and I can login to my host fine using my AD 
> credentials via SSH.   The only issue is that I don't get a Kerberos 
> ticket generated.
> In /etc/security/pam_winbind.conf I have:
> krb5_auth = yes
> krb5_ccache_type = KEYRING
> In /etc/krb5.conf, I also have:
> default_ccache_name = KEYRING:persistent:%{uid}
> Using wbinfo -K jas, then entering my password,  I see:
> plaintext kerberos password authentication for [jas] succeeded 
> (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_1004
> [It writes the keyring to a file even though I've specified KEYRING.  
> I don't know if wbinfo automatically writes to FILE or whether it 
> reads pam_winbind.conf and should be writing to KEYRING).
> If I remove the file, and ssh to the system, I don't get a Kerberos 
> ticket.
> I know the pam_winbind.conf file is being read on login because the 
> "require_membership_of" line I'm using works.
> Any thoughts?
> Jason

By the way, just to add,  /etc/pam.d/password-auth and 
/etc/pam.d/system-auth both look like this:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so 
account     required      pam_permit.so
password    requisite     pam_pwquality.so try_first_pass 
local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so cached_login


More information about the samba mailing list