[Samba] pam_winbind and krb5_ccache_type=KEYRING

[Christian Merten]

Yes, I even set

[appdefaults]
     pam = {
         ccache = KEYRING:persistent:%{uid}
     }

Best regards
Christian

On 9/12/22 13:14, Sami Hulkko wrote:
> Do you have:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> SH
>
> On 12/09/2022 13:39, Christian Merten via samba wrote:
>> Hello everybody,
>>
>> I tried to get rid of credential caches stored in temporary files. So 
>> I found the pam_winbind option krb5_ccache_type. Originally this was 
>> set to FILE, so I set it to KEYRING. But when I now login into my 
>> user, I don't get a ticket at all.
>>
>> In /var/log/auth.log I found this passage:
>>
>> sshd[1064]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 
>> 'KEYRING:persistent:UID'
>> sshd[1413]: pam_winbind(sshd:auth): enabling krb5 login flag
>> sshd[1413]: pam_winbind(sshd:auth): enabling cached login flag
>> sshd[1413]: pam_winbind(sshd:auth): enabling request for a 
>> KEYRING:persistent:UID krb5 ccache
>> sshd[1413]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
>> sshd[1413]: pam_winbind(sshd:auth): user 'user' granted access
>> sshd[1413]: pam_winbind(sshd:auth): Returned user was 'user'
>> sshd[1413]: pam_winbind(sshd:auth): [pamh: 0x5610ed0b9e00] LEAVE: 
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> sshd[1413]: Accepted password for user from 129.206.201.242 port 
>> 48370 ssh2
>> sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER: 
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1413]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not 
>> implemented
>> sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE: 
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>> sshd[1413]: pam_unix(sshd:session): session opened for user 
>> user(uid=10793) by (uid=0)
>> systemd-logind[425]: New session 5 of user user.
>> sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER: 
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1425]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not 
>> implemented
>> sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE: 
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>>
>> The suspicious line might be PAM_ESTABLISH_CRED not implemented, but 
>> I switched it back to FILE and there was the same line:
>>
>> sshd[1060]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
>> sshd[1060]: pam_winbind(sshd:auth): enabling krb5 login flag
>> sshd[1060]: pam_winbind(sshd:auth): enabling cached login flag
>> sshd[1060]: pam_winbind(sshd:auth): enabling request for a FILE krb5 
>> ccache
>> sshd[1060]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
>> sshd[1060]: pam_winbind(sshd:auth): user 'user' granted access
>> sshd[1060]: pam_winbind(sshd:auth): request returned KRB5CCNAME: 
>> FILE:/tmp/krb5cc_10793
>> sshd[1060]: pam_winbind(sshd:auth): Returned user was 'user'
>> sshd[1060]: pam_winbind(sshd:auth): [pamh: 0x55bd0c32fe00] LEAVE: 
>> pam_sm_authenticate returning 0 (PAM_SUCCESS)
>> sshd[1060]: Accepted password for user from 129.206.201.242 port 
>> 48372 ssh2
>> sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] ENTER: 
>> pam_sm_setcred (flags: 0x0002)
>> sshd[1060]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not 
>> implemented
>> sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] LEAVE: 
>> pam_sm_setcred returning 0 (PAM_SUCCESS)
>>
>> I found an old discussion about this topic 
>> (https://lists.samba.org/archive/samba/2020-August/231254.html) but 
>> there were no further answers. Is there someone successfully using 
>> this option?
>>
>> Best regards
>> Christian
>>
>>