[Samba] pam_winbind and krb5_ccache_type=KEYRING

Andrew Bartlett abartlet at samba.org
Mon Sep 12 11:23:07 UTC 2022

On Mon, 2022-09-12 at 12:39 +0200, Christian Merten via samba wrote:
> Hello everybody,
> I tried to get rid of credential caches stored in temporary files. So I 
> found the pam_winbind option krb5_ccache_type. Originally this was set 
> to FILE, so I set it to KEYRING. But when I now login into my user, I 
> don't get a ticket at all.

Does this work with other tools like sssd?  I ask because that might
indicate the correct programming tricks to make this work. 

The issue as I see it is that pam_winbindd doesn't get the ticket,
winbindd does, operating on the other side of a unix domain socket and
assuming it is compiled with MIT kerberos, it can set into a KEYRING,
but why would it be the same kernel keyring as the pam_winbindd

The file-based options work because a seteuid() is enough to have the
file written by the right owner, but unless somehow winbindd is put
into the login session for a bit, why would it be in the right session?

Andrew Bartlett
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list