[Samba] pam_winbind and krb5_ccache_type=KEYRING

[Luc Lalonde]

On Redhat (Fedora, CentOS, EL) based systems, I need to set a similar setting to get Winbind authentification to work (/etc/security/pam_winbind.conf):

[global]
      krb5_auth = yes
      krb5_ccache_type = FILE

Leaving the default breaks kerberos NFS mounts.

> On Sep 12, 2022, at 7:23 AM, Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> 
> On Mon, 2022-09-12 at 12:39 +0200, Christian Merten via samba wrote:
>> Hello everybody,
>> 
>> I tried to get rid of credential caches stored in temporary files. So I
>> found the pam_winbind option krb5_ccache_type. Originally this was set
>> to FILE, so I set it to KEYRING. But when I now login into my user, I
>> don't get a ticket at all.
> 
> Does this work with other tools like sssd?  I ask because that might
> indicate the correct programming tricks to make this work.
> 
> The issue as I see it is that pam_winbindd doesn't get the ticket,
> winbindd does, operating on the other side of a unix domain socket and
> assuming it is compiled with MIT kerberos, it can set into a KEYRING,
> but why would it be the same kernel keyring as the pam_winbindd
> process?
> 
> The file-based options work because a seteuid() is enough to have the
> file written by the right owner, but unless somehow winbindd is put
> into the login session for a bit, why would it be in the right session?
> 
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)        https://samba.org/~abartlet/
> Samba Team Member (since 2001)  https://samba.org
> Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20220912/1b7c90b4/signature.sig>