[Samba] pam_winbind stops working when use_krb5 is enabled

Thu Feb 25 13:35:55 UTC 2021

On 25/02/2021 13:22, Tim Miller via samba wrote:
> I have a puzzling problem that I've been beating my head against for a
> couple of days with no luck. I have a test domain with a Windows Server
> 2019 DC and a RHEL 8 system that has been properly joined to it. I am
> trying to authenticate with pam_winbind on the RHEL system, and everything
> works just fine until I add krb5_auth to the list of arguments for
> pam_winbind (or equivalently turn krb5_auth on in
> /etc/security/pam_winbind.conf.
>
> Whenever krb5_auth is turned on, I get the following log messages:
>
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): CONFIG file:
> krb5_ccache_type 'FILE:/tmp/krb5cc_%u'
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling krb5
> login flag
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): enabling
> request for a FILE:/tmp/krb5cc_%u krb5 ccache
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
> NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon
> is invalid. This is either due to a bad username or authentication
> information.
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): user 'btmiller'
> denied access (incorrect password or invalid membership)
> Feb 24 23:47:42 cs-dom1 sshd[5511]: pam_winbind(sshd:auth): [pamh:
> 0x5590d75b79c0] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)
>
> As soon as I turn off krb5_auth, everything works fine again.
>
> I'm pretty sure my Kerberos config is correct, because when I log in
> without auth_krb5, I can use kinit to get a TGT from the DC correctly.
>
> I've spent a lot of time on Google trying to figure out why pam_winbind
> would work correctly in my setup without krb5 but fails when it is turned
> on. Any help or pointers would be welcome, as I'm a relative newbie to
> this. I've pasted my smb.conf below.
>
> Thanks,
> Tim
>
> === /etc/samba/smb.conf
> [global]
> workgroup = MYDOM
> security = ADS
> realm = MYDOM.LOCAL
> server role = member server
>
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> ## remove when done testing
> winbind enum users = yes
> winbind enum groups = yes
>
> ## kill printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> ## id mapping
> idmap config *: backend = tdb
> idmap config *: range = 90000-99999
>
> idmap config MYDOM: backend = ad
> idmap config MYDOM: range = 100000-499999
> idmap config MYDOM: unix_nss_info = yes
> idmap config MYDOM: unix_primary_gid = yes
>
> ##template shell = /bin/bash
>
> ## logging
> log level = 2 winbind:5
>
> === /etc/security/pam_winbind.conf

You need pam-krb5, which I believe Red-hat has removed in RHEL 8

When I tested a Unix domain member on Centos 8, I had to build the 
Centos 7 pam-krb5 package to get it to work.

Rowland