samba4 + kerberos + pam
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Tue May 14 06:20:25 MDT 2013
Hi David,
> I have a problem with samba4 and PAM Kerberos Authentication.
>
> I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
> Now I want to automatically create a kerberos ticket on login.
>
> As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
>
> krb5_auth = yes
> krb5_ccache_type = FILE
>
> Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
>
> I'm using a self compiled version of samba (4.0.5).
>
> Is this a bug in samba4 or am I missing something?
here we are using samba 4.0.5 AD server and pam_winbind auth for linux
clients and it does create the credential cache file properly. My Linux
clients are debian squeeze or wheezy based, and I have no experience
with redhat flavored linux though.
By the way I don't see why the kerberos cache on client would have
something to do with the kerberos server.
I don't know if there is an equivalent of /etc/security/pam_winbind.conf
on debian, but I have the same parameters directly in the pam.d files :
$ cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ck_connector.so nox11
session required pam_mkhomedir.so silent skel=/etc/skel.empty
session optional pam_winbind.so krb5_auth
krb5_ccache_type=FILE
I am sure my credential cache is correctly populated at logon since I
use it for authentication on apache and file servers.
Cheers,
Denis
>
> Thanks!
>
> David
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba-technical
mailing list