[Samba] Confusion about libpam-krb5 and libpam-winbind

Rowland Penny rpenny at samba.org
Thu Feb 17 10:35:10 UTC 2022

On Thu, 2022-02-17 at 11:12 +0100, Matthias Kühne | Ellerhold AG via
samba wrote:
> Hello samba-community,
> on our Debian Domain members (Samba 4.14) we cant change the password
> of 
> local (non-AD) users, because it asks for the "Current kerberos
> password".

You shouldn't really have many local users, just enough to fix things
if something goes wrong and you cannot contact AD.

> Ive tracked it down to the libpam-krb5. I can up the "minimum_uid"
> from 
> 1000 to the value of my smb.conf (10000) and the problem is gone. Is 
> this the correct way to fix this problem?

Yes, Setting every occurrence of '1000' in /etc/pam.d/common-* to the
DOMAIN lower range is the correct way to fix this.
> That leads me to a second question: What we need on these servers
> are 
> SSH and SMB access via users from the domain. Both are using username
> + 
> password (e. g. MY-DOMAIN\matthias.kuehne and a PW). As far as I 
> understand it this is handled by libpam-winbind, correct?

You can turn off the 'MY-DOMAIN\' by setting 'winbind use default
domain = yes', provided you are using the 'ad' or 'rid' winbind idmap
backend with one domain.
This is handled by libpam-winbind & libnss-winbind

> libpam-krb5 would enable me to use kerberos tickets to access the
> file 
> shares (and possibly ssh?).

Yes, and definitely ssh

>  If I dont need that - can I uninstall it or 
> does any background system of a samba domain member use this pam-
> module? 

No and yes

> Same question for a samba ad-dc!

You only need to set up PAM and the winbind links on a DC if you
require your users to log into the DC directly (something that Samba
does not recommend)


More information about the samba mailing list