[Samba] KRB5 pam_winbind using KEYRING does not work
rme at bluemail.ch
rme at bluemail.ch
Tue Oct 28 17:08:26 UTC 2025
Your config looks basically identical to my one.
> I run Debian as standard, so normally the kerberos cache goes into
> /tmp
> and just works, but it should work.
Actually yes, using files it works out of the box. But not when using
KEYRING.
> so I set that up using your
> /etc/security/pam_winbind.conf settings and added
> 'default_ccache_name = KEYRING:persistent:%{uid}' to the
> '[libdefaults]' section of the /etc/krb5.conf file.
Actually as soon as I insert "krb5_ccache_type = KEYRING" into ghe
GLobal section of /etc/security/pam_winbind.conf then winbind fails to
create the cache entries in KEYRING. There is also no KRB5CCNAME
variable defined.
> I logged in and ran this: echo "$KRB5CCNAME"
Are you by any chance also having pam_krb5.so enabled in your PAM
configuration? If yes, then it is perhaps not pam_winbind.so setting
KRB5CCNAME but pam_krb5 instead.
Yes I can do this and it works fine using pam_krb5 but purely using
pam_winbind it does not.
It should not be required to run pam_krb5 before invoking pam_winbind in
order to set the KRB5CCNAME and somehow force pam_winbind to use the
KEYRING.
I will do some more tests with and without pam_krb5 enabled. But I was
unable yet to convince pam_winbind to write anything to the keyring.
Even if I manually set KRB5CCNAME=KEYRING:persistent:<UID> it is simply
empty. So pam_winbind does not populate it.
br,
Rainer
More information about the samba
mailing list