[Samba] libpam_mount and sec=krb5
Stefan Kania
stefan at kania-online.de
Fri Dec 23 18:31:26 UTC 2022
Am 23.12.22 um 18:29 schrieb Stefan Kania via samba:
>
>
> Am 23.12.22 um 18:17 schrieb Rowland Penny via samba:
>>
>>
>> On 23/12/2022 16:55, Stefan Kania via samba wrote:
>>>
>>>
>>> Am 23.12.22 um 17:48 schrieb Rowland Penny via samba:
>>>>>
>>>>
>>>> It could be that pam_mount is looking for the kerberos ticket
>>>> '/tmp/krb5cc_1001107' and as you can see, it is actually
>>>> '/tmp/krb5cc_1001107_dUP4GZ'
>>>
>>> That's what I also thought, but this is the ticket filename creating
>>> when the user logs in to the system. Do you know a way to force the
>>> system NOT to add the last digits after the uid?
>>>
>>
>> I think there is a parameter you can set, try reading the krb5.conf
>> manpage. Have you tried turning on debug in pam_mount.conf.xml ?
>>
>
> Yes, and I got the same error :-(.
>
> One more thing:
>
> I just testet kinit together with MIT-Kerberos and OpenLDAP and there I
> got a filename krb5cc_<uid> without the suffix after the uid, so it must
> have something to do with heimdal-kerberos if so, it would be bad.
>
>
>> Rowland
>>
>
>
I found out, Heimdal is NOT using default_ccache_name but
default_cc_name. I now changed my krb5.conf to:
-----------------
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
default_cc_name = FILE:/tmp/krb5cc_%{uid}
-----------------
But still the same, but it has someting to do with Heimdal-Kerberos.
Change the filename together with MIT-Kerberos and OpenLDAP works.
More information about the samba
mailing list