[Samba] winbind offline logon

Alexey A Nikitin nikitin at amazon.com
Thu Jan 21 17:20:35 UTC 2021

On Thursday, 21 January 2021 05:28:09 PST Jon Gerdes via samba wrote:
> I have just been down this rabbit hole.  Winbind sets KRB5CCNAME when you use pam_winbind.  If you set eg
> krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u
> in pam_winbind.conf then it should work.  For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it
> looks correct.  I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type.  My
> systemd journal reports:
> login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u'
> If I set this in /etc/krb5.conf:
> [libdefaults]
>     default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid}
> then kinit creates the cache correctly.  Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME
> to override krb5.conf.

Have you checked your PAM stacks? Some distros (I'm looking at RHEL-based ones especially) like to override krb5_ccache_type in pam_winbind.so parameters in the PAM stacks instead of just letting pam_winbind.conf control it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20210121/b22566ea/signature.sig>

More information about the samba mailing list