[Samba] pam_winbind stops working when use_krb5 is enabled

Rowland penny rpenny at samba.org
Fri Feb 26 09:23:57 UTC 2021

On 26/02/2021 04:20, Tim Miller via samba wrote:
> Thanks for everyone who has weighed in on this. Very annoying that Red Hat
> decided to do away with pam_krb5. Based on what I'm reading (both here and
> in other places), the preferred solution is to use realmd to join to a
> domain rather than samba, which isn't really what I want at all :-). Red
> Hat does provide instructions for using Samba to join a domain and using
> SSSD to handle the authentication, but I don't have a RHEL 7 system handy
> to try them on, so I can't speak for whether or not they work.
> I do have one question about using pam_krb5 (or pam_sss, if such a thing
> would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to
> get the Kerberos ticket, which pam_winbind would then use to authenticate
> the user? Based on the description of the "krb5_auth" parameter in the
> pam_winbind man page, I thought that the notion is that pam_winbind would
> go off to the DC and get the Kerberos ticket for me, decrypt it using my
> password, and then stuff it into whatever ticket cache I've configured. But
> if we're actually getting the ticket via pam_krb5, then I've clearly
> misunderstood what role pam_winbind is playing in the whole authentication
> operation.

If you are going to use pam_sss, they you are going to be using sssd and 
you cannot use sssd with winbind. sssd has its own version of the 
winbind libs. There is (in my opinion) a kludge where you can use sssd 
with Samba, but this will only give you authentication, no shares and as 
such is pretty pointless, you might as well just run sssd,. If you just 
want authentication, just run sssd, but if you want shares, do not run sssd.


More information about the samba mailing list