[Samba] pam_winbind stops working when use_krb5 is enabled

Tim Miller btamiller at gmail.com
Fri Feb 26 04:20:29 UTC 2021

Thanks for everyone who has weighed in on this. Very annoying that Red Hat
decided to do away with pam_krb5. Based on what I'm reading (both here and
in other places), the preferred solution is to use realmd to join to a
domain rather than samba, which isn't really what I want at all :-). Red
Hat does provide instructions for using Samba to join a domain and using
SSSD to handle the authentication, but I don't have a RHEL 7 system handy
to try them on, so I can't speak for whether or not they work.

I do have one question about using pam_krb5 (or pam_sss, if such a thing
would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
get the Kerberos ticket, which pam_winbind would then use to authenticate
the user? Based on the description of the "krb5_auth" parameter in the
pam_winbind man page, I thought that the notion is that pam_winbind would
go off to the DC and get the Kerberos ticket for me, decrypt it using my
password, and then stuff it into whatever ticket cache I've configured. But
if we're actually getting the ticket via pam_krb5, then I've clearly
misunderstood what role pam_winbind is playing in the whole authentication

Thanks again for everyone's assistance here!

On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 25/02/2021 15:41, cn--- via samba wrote:
> > Am 25.02.21 um 14:35 schrieb Rowland penny via samba:
> >
> >>
> >> You need pam-krb5, which I believe Red-hat has removed in RHEL 8
> >
> > You can do it this way:
> >
> > https://access.redhat.com/solutions/4256011
> >
> > The account is free but you need to log in.
> I have a red-hat account but I can never see anything, but I take it
> that it is the same as this:
> https://sssd.io/docs/users/pam_krb5_migration.html
> If it is, then you are shooting yourself in the foot, the first thing
> you would have  to do is to remove Samba as you cannot use sssd with Samba.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list