[Samba] pam_winbind stops working when use_krb5 is enabled
Tim Miller
btamiller at gmail.com
Thu Feb 25 13:22:33 UTC 2021
I have a puzzling problem that I've been beating my head against for a
couple of days with no luck. I have a test domain with a Windows Server
2019 DC and a RHEL 8 system that has been properly joined to it. I am
trying to authenticate with pam_winbind on the RHEL system, and everything
works just fine until I add krb5_auth to the list of arguments for
pam_winbind (or equivalently turn krb5_auth on in
/etc/security/pam_winbind.conf.
Whenever krb5_auth is turned on, I get the following log messages:
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): CONFIG file:
krb5_ccache_type 'FILE:/tmp/krb5cc_%u'
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling krb5
login flag
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling
request for a FILE:/tmp/krb5cc_%u krb5 ccache
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon
is invalid. This is either due to a bad username or authentication
information.
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): user 'btmiller'
denied access (incorrect password or invalid membership)
Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): [pamh:
0x5590d75b79c0] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)
As soon as I turn off krb5_auth, everything works fine again.
I'm pretty sure my Kerberos config is correct, because when I log in
without auth_krb5, I can use kinit to get a TGT from the DC correctly.
I've spent a lot of time on Google trying to figure out why pam_winbind
would work correctly in my setup without krb5 but fails when it is turned
on. Any help or pointers would be welcome, as I'm a relative newbie to
this. I've pasted my smb.conf below.
Thanks,
Tim
=== /etc/samba/smb.conf
[global]
workgroup = MYDOM
security = ADS
realm = MYDOM.LOCAL
server role = member server
winbind refresh tickets = Yes
winbind use default domain = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
## remove when done testing
winbind enum users = yes
winbind enum groups = yes
## kill printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
## id mapping
idmap config *: backend = tdb
idmap config *: range = 90000-99999
idmap config MYDOM: backend = ad
idmap config MYDOM: range = 100000-499999
idmap config MYDOM: unix_nss_info = yes
idmap config MYDOM: unix_primary_gid = yes
##template shell = /bin/bash
## logging
log level = 2 winbind:5
=== /etc/security/pam_winbind.conf
More information about the samba
mailing list