On 21/01/2021 13:28, Jon Gerdes via samba wrote:> Dale > > I have just been down this rabbit hole. Winbind sets KRB5CCNAME when you use pam_winbind. If you set eg > > krb5_ccache_type = FILE:/var/lib/krb5cc/krb5cc_%u > > in pam_winbind.conf then it should work. For me it doesn't 8( . The code is in source3/winbindd/winbindd_pam.c and it > looks correct. I can see the %u thing mentioned in the code that looks for FILE:/ at the start of krb5_ccache_type. My > systemd journal reports: > > login[5550]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE:/var/lib/krb5cc/krb5cc_%u' > > If I set this in /etc/krb5.conf: > > [libdefaults] > default_ccache_name = FILE:/var/lib/krb5cc/krb5cc_%{uid} > > then kinit creates the cache correctly. Winbind ignores that I think and does its own thing instead and sets KRB5CCNAME > to override krb5.conf. >OK, can you try this (tested on Debian Buster with Samba 4.12.9): As root, create a directory mkdir /temp Alter /etc/krb5.conf to match this: [libdefaults] ??????? default_realm = SAMDOM.EXAMPLE.COM ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true [appdefaults] ??????? ccache = krb5cc_%u ??????? ccache_dir = FILE:/temp Replace 'SAMDOM.EXAMPLE.COM' with your realm. Alter /etc/pam.d/common-auth Change: auth??? [success=3 default=ignore]????? pam_krb5.so minimum_uid=10000 auth??? [success=2 default=ignore]????? pam_unix.so nullok_secure try_first_pass auth??? [success=1 default=ignore]????? pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass To: auth??? [success=3 default=ignore]????? pam_winbind.so krb5_auth krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass auth??? [success=2 default=ignore]????? pam_krb5.so minimum_uid=1000 auth??? [success=1 default=ignore]????? pam_unix.so nullok_secure try_first_pass Now log out and log in as a domain user, you should now find a kerberos ticket in temp. Log out again and disconnect from network, then log in again as the user. Rowland
Il 21/01/21 16:05, Rowland penny via samba ha scritto:> OK, can you try this (tested on Debian Buster with Samba 4.12.9): > > As root, create a directory > > mkdir /temp > > Alter /etc/krb5.conf to match this: > > [libdefaults] > ??????? default_realm = SAMDOM.EXAMPLE.COM > ??????? dns_lookup_realm = false > ??????? dns_lookup_kdc = true > > [appdefaults] > ??????? ccache = krb5cc_%u > ??????? ccache_dir = FILE:/temp > > Replace 'SAMDOM.EXAMPLE.COM' with your realm. > > Alter /etc/pam.d/common-auth > > Change: > > auth??? [success=3 default=ignore]????? pam_krb5.so minimum_uid=10000 > auth??? [success=2 default=ignore]????? pam_unix.so nullok_secure > try_first_pass > auth??? [success=1 default=ignore]????? pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > > To: > > auth??? [success=3 default=ignore]????? pam_winbind.so krb5_auth > krb5_ccache_type=FILE:/temp/krb5cc_%u cached_login try_first_pass > auth??? [success=2 default=ignore]????? pam_krb5.so minimum_uid=1000 > auth??? [success=1 default=ignore]????? pam_unix.so nullok_secure > try_first_pass > > Now log out and log in as a domain user, you should now find a > kerberos ticket in temp. > > Log out again and disconnect from network, then log in again as the user.Yes, I can confirm that works even on debian with samba 4.13.3... but have you tried to reboot the machine? On my debian if I reboot, the cache file disappears from /temp e cached login doesn't work :( Piviul