[Samba] pam_winbind and krb5_ccache_type=KEYRING
Christian Merten
cmerten at mathi.uni-heidelberg.de
Mon Sep 12 10:39:51 UTC 2022
Hello everybody,
I tried to get rid of credential caches stored in temporary files. So I
found the pam_winbind option krb5_ccache_type. Originally this was set
to FILE, so I set it to KEYRING. But when I now login into my user, I
don't get a ticket at all.
In /var/log/auth.log I found this passage:
sshd[1064]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type
'KEYRING:persistent:UID'
sshd[1413]: pam_winbind(sshd:auth): enabling krb5 login flag
sshd[1413]: pam_winbind(sshd:auth): enabling cached login flag
sshd[1413]: pam_winbind(sshd:auth): enabling request for a
KEYRING:persistent:UID krb5 ccache
sshd[1413]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
sshd[1413]: pam_winbind(sshd:auth): user 'user' granted access
sshd[1413]: pam_winbind(sshd:auth): Returned user was 'user'
sshd[1413]: pam_winbind(sshd:auth): [pamh: 0x5610ed0b9e00] LEAVE:
pam_sm_authenticate returning 0 (PAM_SUCCESS)
sshd[1413]: Accepted password for user from 129.206.201.242 port 48370 ssh2
sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER:
pam_sm_setcred (flags: 0x0002)
sshd[1413]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE:
pam_sm_setcred returning 0 (PAM_SUCCESS)
sshd[1413]: pam_unix(sshd:session): session opened for user
user(uid=10793) by (uid=0)
systemd-logind[425]: New session 5 of user user.
sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER:
pam_sm_setcred (flags: 0x0002)
sshd[1425]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE:
pam_sm_setcred returning 0 (PAM_SUCCESS)
The suspicious line might be PAM_ESTABLISH_CRED not implemented, but I
switched it back to FILE and there was the same line:
sshd[1060]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
sshd[1060]: pam_winbind(sshd:auth): enabling krb5 login flag
sshd[1060]: pam_winbind(sshd:auth): enabling cached login flag
sshd[1060]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
sshd[1060]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
sshd[1060]: pam_winbind(sshd:auth): user 'user' granted access
sshd[1060]: pam_winbind(sshd:auth): request returned KRB5CCNAME:
FILE:/tmp/krb5cc_10793
sshd[1060]: pam_winbind(sshd:auth): Returned user was 'user'
sshd[1060]: pam_winbind(sshd:auth): [pamh: 0x55bd0c32fe00] LEAVE:
pam_sm_authenticate returning 0 (PAM_SUCCESS)
sshd[1060]: Accepted password for user from 129.206.201.242 port 48372 ssh2
sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] ENTER:
pam_sm_setcred (flags: 0x0002)
sshd[1060]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] LEAVE:
pam_sm_setcred returning 0 (PAM_SUCCESS)
I found an old discussion about this topic
(https://lists.samba.org/archive/samba/2020-August/231254.html) but
there were no further answers. Is there someone successfully using this
option?
Best regards
Christian
More information about the samba
mailing list