[Samba] winbind offline logon

Rowland penny rpenny at samba.org
Thu Jan 21 15:05:30 UTC 2021

On 21/01/2021 13:28, Jon Gerdes via samba wrote:
> Dale
> I have just been down this rabbit hole.  Winbind sets KRB5CCNAME when you use pam_winbind.  If you set eg
> krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u
> in pam_winbind.conf then it should work.  For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it
> looks correct.  I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type.  My
> systemd journal reports:
> login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u'
> If I set this in /etc/krb5.conf:
> [libdefaults]
>      default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}
> then kinit creates the cache correctly.  Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME
> to override krb5.conf.
OK, can you try this (tested on Debian Buster with Samba 4.12.9):

As root, create a directory

mkdir /temp

Alter /etc/krb5.conf to match this:

         default_realm = SAMDOM.EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

         ccache = krb5cc_%u
         ccache_dir = FILE:/temp

Replace 'SAMDOM.EXAMPLE.COM' with your realm.

Alter /etc/pam.d/common-auth


auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure 
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass


auth    [success=3 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure 

Now log out and log in as a domain user, you should now find a kerberos 
ticket in temp.

Log out again and disconnect from network, then log in again as the user.


More information about the samba mailing list