samba4 + kerberos + pam

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue May 14 06:20:25 MDT 2013 

Hi David,

> I have a problem with samba4 and PAM Kerberos Authentication.
>
> I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
> Now I want to automatically create a kerberos ticket on login.
>
> As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
>
> krb5_auth = yes
> krb5_ccache_type = FILE
>
> Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
>
> I'm using a self compiled version of samba (4.0.5).
>
> Is this a bug in samba4 or am I missing something?

here we are using samba 4.0.5 AD server and pam_winbind auth for linux 
clients and it does create the credential cache file properly. My Linux 
clients are debian squeeze or wheezy based, and I have no experience 
with redhat flavored linux though.

By the way I don't see why the kerberos cache on client would have 
something to do with the kerberos server.

I don't know if there is an equivalent of /etc/security/pam_winbind.conf 
on debian, but I have the same parameters directly in the pam.d files :

$ cat /etc/pam.d/common-session
session	 [default=1]			pam_permit.so
session	 requisite			pam_deny.so
session	 required			pam_permit.so
session	 required	                pam_unix.so
session	 optional			pam_ck_connector.so nox11
session	 required			pam_mkhomedir.so silent skel=/etc/skel.empty
session  optional                       pam_winbind.so krb5_auth 
krb5_ccache_type=FILE

I am sure my credential cache is correctly populated at logon since I 
use it for authentication on apache and file servers.

Cheers,

Denis

>
> Thanks!
>
> David
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba-technical mailing list