[Samba] pam_winbind and krb5_ccache_type=KEYRING
abartlet at samba.org
Mon Sep 12 11:23:07 UTC 2022
On Mon, 2022-09-12 at 12:39 +0200, Christian Merten via samba wrote:
> Hello everybody,
> I tried to get rid of credential caches stored in temporary files. So I
> found the pam_winbind option krb5_ccache_type. Originally this was set
> to FILE, so I set it to KEYRING. But when I now login into my user, I
> don't get a ticket at all.
Does this work with other tools like sssd? I ask because that might
indicate the correct programming tricks to make this work.
The issue as I see it is that pam_winbindd doesn't get the ticket,
winbindd does, operating on the other side of a unix domain socket and
assuming it is compiled with MIT kerberos, it can set into a KEYRING,
but why would it be the same kernel keyring as the pam_winbindd
The file-based options work because a seteuid() is enough to have the
file written by the right owner, but unless somehow winbindd is put
into the login session for a bit, why would it be in the right session?
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba