[Samba] kerberos ticket on login problem
Jason Keltz
jas at eecs.yorku.ca
Wed Jul 29 15:57:17 UTC 2020
On 7/28/2020 4:11 PM, Jason Keltz wrote:
>
> On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
>> I'm experimenting with smb + winbind.
>>
>> My host is joined to AD and I can login to my host fine using my AD
>> credentials via SSH. The only issue is that I don't get a Kerberos
>> ticket generated.
>>
>> In /etc/security/pam_winbind.conf I have:
>>
>> krb5_auth = yes
>>
>> krb5_ccache_type = KEYRING
>>
>> In /etc/krb5.conf, I also have:
>>
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> Using wbinfo -K jas, then entering my password, I see:
>>
>> plaintext kerberos password authentication for [jas] succeeded
>> (requesting cctype: FILE)
>> credentials were put in: FILE:/tmp/krb5cc_1004
>>
>> [It writes the keyring to a file even though I've specified KEYRING.
>> I don't know if wbinfo automatically writes to FILE or whether it
>> reads pam_winbind.conf and should be writing to KEYRING).
>>
>> If I remove the file, and ssh to the system, I don't get a Kerberos
>> ticket.
>>
>> I know the pam_winbind.conf file is being read on login because the
>> "require_membership_of" line I'm using works.
>>
>> Any thoughts?
>>
>> Jason
>
> By the way, just to add, /etc/pam.d/password-auth and
> /etc/pam.d/system-auth both look like this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_winbind.so cached_login use_first_pass
> auth required pam_deny.so
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login
> account required pam_permit.so
> password requisite pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_winbind.so cached_login
I noticed that wbinfo has a --krb5ccname arg so I tried:
% klist
klist: Credentials cache keyring 'persistent:1004:1004' not found
% /xsys/pkg/samba/bin/wbinfo --krb5ccname="KEYRING" -K jas
Enter jas's password:
plaintext kerberos password authentication for [jas] succeeded
(requesting cctype: KEYRING)
brayden 305 % klist
klist: Credentials cache keyring 'persistent:1004:1004' not found
I also enabled extended debugging and during login:
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] ENTER:
> pam_sm_authenticate (flags: 0x0000)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER)
> = "jas" (0xb4fd60)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) =
> "xrdp-sesman" (0xb4d6a0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_AUTHTOK) = 0xb4fd80
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV)
> = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): getting password (0x000013d1)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): Verify user 'jas'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): CONFIG file: require_membership_of
> 'EECSYORKUCA\hc_research'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): CONFIG file: krb5_ccache_type 'KEYRING'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): enabling krb5 login flag
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): enabling cached login flag
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): enabling request for a KEYRING krb5 ccache
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): no sid given, looking up:
> EECSYORKUCA\hc_research
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): request wbcLogonUser succeeded
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): user 'jas' granted access
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): Returned user was 'jas'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] LEAVE:
> pam_sm_authenticate returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER)
> = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) =
> "xrdp-sesman" (0xb4d6a0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_AUTHTOK) = 0xb4fd80
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV)
> = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]:
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] ENTER:
> pam_sm_setcred (flags: 0x0002)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): PAM_ESTABLISH_CRED not implemented
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] LEAVE:
> pam_sm_setcred returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] ENTER:
> pam_sm_open_session (flags: 0x0000)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] LEAVE:
> pam_sm_open_session returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]:
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE:
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
If I removed default_ccache_name from /etc/krb5.conf and set
krb5_ccache_type = FILE in pam_winbind.conf, and that worked.
Albeit, I'm running an older version of Samba at this moment (4.10), and
it's possible KEYRING doesn't work here. I thought it was valid. Rowland?
Now, when I login to a system, I get the Kerberos ticket. However, if I
ssh to another system, the ticket doesn't transfer.
I see something interesting on the last comment on this page:
https://forums.centos.org/viewtopic.php?t=59441
The last comment: " It was necessary in the computer account properties
centos on a domain controller to include a tick "Trust this computer for
delegation to any service."". I wonder if this is the solution, but
it's not clear what this does or how I do this with Samba CLI. I need
the Kerberos ticket to transfer with SSH (yes, the SSH client and server
config allows GSSAPI).
Jason.
More information about the samba
mailing list