[Samba] pam_winbind stops working when use_krb5 is enabled

cn at brain-biotech.de cn at brain-biotech.de
Fri Feb 26 06:22:58 UTC 2021

Hello Tim,
I can confirm that joining with Samba works on Centos 8. We have 5 DCs 
and member servers running on 8.
The only thing I have run after the join is this:

authselect select winbind --force

in nsswitch.conf I have this then:

passwd:     files winbind systemd
group:      files winbind systemd

And it works.

I can log in using krb by ssh. SMB works by krb also.

Successful AuthZ: [SMB2,krb5] user [DOMAIN-02]\[XX] 

However, I am not sure how this all works together.


Am 26.02.21 um 05:20 schrieb Tim Miller via samba:
> Thanks for everyone who has weighed in on this. Very annoying that Red Hat
> decided to do away with pam_krb5. Based on what I'm reading (both here and
> in other places), the preferred solution is to use realmd to join to a
> domain rather than samba, which isn't really what I want at all :-). Red
> Hat does provide instructions for using Samba to join a domain and using
> SSSD to handle the authentication, but I don't have a RHEL 7 system handy
> to try them on, so I can't speak for whether or not they work.
> I do have one question about using pam_krb5 (or pam_sss, if such a thing
> would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
> get the Kerberos ticket, which pam_winbind would then use to authenticate
> the user? Based on the description of the "krb5_auth" parameter in the
> pam_winbind man page, I thought that the notion is that pam_winbind would
> go off to the DC and get the Kerberos ticket for me, decrypt it using my
> password, and then stuff it into whatever ticket cache I've configured. But
> if we're actually getting the ticket via pam_krb5, then I've clearly
> misunderstood what role pam_winbind is playing in the whole authentication
> operation.
> Thanks again for everyone's assistance here!
> Tim
> On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>> On 25/02/2021 15:41, cn--- via samba wrote:
>>> Am 25.02.21 um 14:35 schrieb Rowland penny via samba:
>>>> You need pam-krb5, which I believe Red-hat has removed in RHEL 8
>>> You can do it this way:
>>> https://access.redhat.com/solutions/4256011
>>> The account is free but you need to log in.
>> I have a red-hat account but I can never see anything, but I take it
>> that it is the same as this:
>> https://sssd.io/docs/users/pam_krb5_migration.html
>> If it is, then you are shooting yourself in the foot, the first thing
>> you would have  to do is to remove Samba as you cannot use sssd with Samba.
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list