[Samba] pam_winbind and krb5_ccache_type=KEYRING
Christian Merten
cmerten at mathi.uni-heidelberg.de
Mon Sep 12 11:20:45 UTC 2022
Yes, I even set
[appdefaults]
pam = {
ccache = KEYRING:persistent:%{uid}
}
Best regards
Christian
On 9/12/22 13:14, Sami Hulkko wrote:
> Do you have:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> SH
>
> On 12/09/2022 13:39, Christian Merten via samba wrote:
>> Hello everybody,
>>
>> I tried to get rid of credential caches stored in temporary files. So
>> I found the pam_winbind option krb5_ccache_type. Originally this was
>> set to FILE, so I set it to KEYRING. But when I now login into my
>> user, I don't get a ticket at all.
>>
>> In /var/log/auth.log I found this passage:
>>
>> sshd[1064]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type
>> 'KEYRING:persistent:UID'
>> sshd[1413]: pam_winbind(sshd:auth): enabling krb5 login flag
>> sshd[1413]: pam_winbind(sshd:auth): enabling cached login flag
>> sshd[1413]: pam_winbind(sshd:auth): enabling request for a
>> KEYRING:persistent:UID krb5 ccache
>> sshd[1413]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
>> sshd[1413]: pam_winbind(sshd:auth): user 'user' granted access
>> sshd[1413]: pam_winbind(sshd:auth): Returned user was 'user'
>> sshd[1413]: pam_winbind(sshd:auth): [pamh: 0x5610ed0b9e00] LEAVE:
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> sshd[1413]: Accepted password for user from 129.206.201.242 port
>> 48370 ssh2
>> sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER:
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1413]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not
>> implemented
>> sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE:
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>> sshd[1413]: pam_unix(sshd:session): session opened for user
>> user(uid=10793) by (uid=0)
>> systemd-logind[425]: New session 5 of user user.
>> sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER:
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1425]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not
>> implemented
>> sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE:
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>>
>> The suspicious line might be PAM_ESTABLISH_CRED not implemented, but
>> I switched it back to FILE and there was the same line:
>>
>> sshd[1060]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
>> sshd[1060]: pam_winbind(sshd:auth): enabling krb5 login flag
>> sshd[1060]: pam_winbind(sshd:auth): enabling cached login flag
>> sshd[1060]: pam_winbind(sshd:auth): enabling request for a FILE krb5
>> ccache
>> sshd[1060]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
>> sshd[1060]: pam_winbind(sshd:auth): user 'user' granted access
>> sshd[1060]: pam_winbind(sshd:auth): request returned KRB5CCNAME:
>> FILE:/tmp/krb5cc_10793
>> sshd[1060]: pam_winbind(sshd:auth): Returned user was 'user'
>> sshd[1060]: pam_winbind(sshd:auth): [pamh: 0x55bd0c32fe00] LEAVE:
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> sshd[1060]: Accepted password for user from 129.206.201.242 port
>> 48372 ssh2
>> sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] ENTER:
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1060]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not
>> implemented
>> sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] LEAVE:
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>>
>> I found an old discussion about this topic
>> (https://lists.samba.org/archive/samba/2020-August/231254.html) but
>> there were no further answers. Is there someone successfully using
>> this option?
>>
>> Best regards
>> Christian
>>
>>
More information about the samba
mailing list