[Samba] winbind offline logon
Alexey A Nikitin
nikitin at amazon.com
Thu Jan 21 17:20:35 UTC 2021
On Thursday, 21 January 2021 05:28:09 PST Jon Gerdes via samba wrote:
> I have just been down this rabbit hole. Winbind sets KRB5CCNAME when you use pam_winbind. If you set eg
>
> krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u
>
> in pam_winbind.conf then it should work. For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it
> looks correct. I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type. My
> systemd journal reports:
>
> login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u'
>
> If I set this in /etc/krb5.conf:
>
> [libdefaults]
> default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}
>
> then kinit creates the cache correctly. Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME
> to override krb5.conf.
Have you checked your PAM stacks? Some distros (I'm looking at RHEL-based ones especially) like to override krb5_ccache_type in pam_winbind.so parameters in the PAM stacks instead of just letting pam_winbind.conf control it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20210121/b22566ea/signature.sig>
More information about the samba
mailing list