[Samba] KRB5 pam_winbind using KEYRING does not work

rme at bluemail.ch rme at bluemail.ch
Mon Oct 27 23:23:30 UTC 2025 

Hello Samba experts

I am having issues or misunderstanding how to use pam_winbind Kerberos 
storing caches in keyring.

My /etc/security/pam_winbind.conf:

[Global]
         debug = yes
         debug_state = yes
         silent = no
         krb5_auth = yes
         krb5_ccache_type = KEYRING
         cached_login = yes
         silent = no
         mkhomedir = yes


My /etc/krb5.conf libdefaults and appdefaults:

[libdefaults]
         default_realm = AD.DOMAIN.TLD
         default_ccache_name = KEYRING:persistent:%{uid}
         dns_lookup_realm = false
         dns_lookup_kdc = true
[appdefaults]
pam = {
         ticket_lifetime = 7d
         renew_lifetime = 14d
         forwardable = true
         proxiable = false
         minimum_uid = 1
}


My PAM configuration contains:

auth    required  pam_winbind.so


During user login I can see (ournalctl -g pam_winbind):

getting password (0x00005389)
Verify user 'testuser'
PAM config: krb5_ccache_type 'KEYRING'
enabling krb5 login flag
enabling cached login flag
enabling request for a KEYRING krb5 ccache
request wbcLogonUser succeeded
user 'testuser' granted access
Returned user was 'testuser'


However performing "klist" after login returning:

klist: Credentials cache keyring 'persistent:<UID>:<UID>' not found.


And during logout I see this in the debug log of pam_winbind:

username [testuser] obtained
user has no KRB5CCNAME environment
request wbcLogoffUser succeeded
user 'testuser' OK


So either I am missing someting or pam_winbind does not set KRB5CCNAME 
environment variable properly (I checked, it's not set). Using pam_krb5 
it is set but as of my understanding I don't need pam_krb5 in addition 
to pam_winbind. Or I should not need it.

To me it looks like pam_winbind is not properly adding the caches to 
keyring and not setting the KRB5CCNAME variable. Therefore also krenew 
is not working.

I know I can set krb_ccache_type=FILE and remove default_ccache_name 
from libdefaults and get cache files written to /tmp/krb5cc_<UID> but I 
would like to use keyring.
And yes, my keyring is working if I manually do a kinit woth the 
settings above. I am just not getting caches written to keyring on PAM 
login.

I also found the same issue discussed here: 
<https://lists.samba.org/archive/samba/2020-August/231254.html> with no 
solution.


Maybe I just miss something here so I would be glad to get some feedback 
on how to properly use KEYRING with pam_winbind.


I am on Samba 4.23.2 running ARCH Linux.


Best regards and thanks in advance!
Rainer

More information about the samba mailing list