[Samba] KRB5 pam_winbind using KEYRING does not work

Rowland Penny rpenny at samba.org
Thu Oct 30 10:21:56 UTC 2025 

On Wed, 29 Oct 2025 22:34:53 +0100
Rainer Meier via samba <samba at lists.samba.org> wrote:

>  > I now know what is happening, but not why.
> 
>  > If I log into a Debian computer, I get a kerberos ticket, the
>  > 'KRB5CCNAME' is set in 'env' and klist shows the ticket. None of
>  > that occurs on EndeavourOS (yes I managed to install it), but if
>  > you run 'kinit' you get a ticket. I have no idea why it doesn't
>  > work like Debian (presumably RL10 works the same, but I haven't
>  > checked).
> 
> Many thanks for going the (long) extra mile to even install EOS.
> I also figured out that KEYRING actually is working but somehow 
> pam_winbind seems not to be able to store the cache in KEYRING on
> login at all. When using kinit it works and also klist is showing
> keyring contents. Even after logging off and back on klist will keep
> the caches.
> 
> However when using kdestroy and logging off and back on I would
> assume there is new caches put on the keyring but it does not happen.
> 
> So currently I don't know how to dig deeper and gave up; returning to 
> file caches.
> 
> I also tried to run older versions of krb5 (well, at least 1.20) at
> no avail. I am not experienced in PAM debugging and could not
> identify any further issues yet. Unless this is some coincidence with
> newer kernel versions as EOS/ARCH is on 6.17.5 now unless witched to
> LTS (6.12.56 currently) kernels. Well, I might give this a try.
> Though I am not expecting it to work as KEYRING in general seems OK
> as proven by kinit successfully populating keyring.
> 
> Thanks again for your feedback!
> 
> Rainer
> 

OK, not being one that wants to give up, I thought about this and the
problem seems to be that 'KRB5CCNAME' is not set, so I came up with a
way to set it.

Open /etc/bash.bashrc in your favourite editor and add this line to the
bottom:

export KRB5CCNAME="KEYRING:persistent:$UID:$UID"

Save and close the file.

Now log in as a domain user and open a terminal.

Running 'echo "$KRB5CCNAME"' should produce something like this:

KEYRING:persistent:11104:11104

Now run 'klist', it should produce something like this:

Ticket cache: KEYRING:persistent:11104:11104
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
30/10/25 08:25:35  30/10/25 18:25:35  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 06/11/25 08:25:35

Rowland

More information about the samba mailing list