Hello everybody, I tried to get rid of credential caches stored in temporary files. So I found the pam_winbind option krb5_ccache_type. Originally this was set to FILE, so I set it to KEYRING. But when I now login into my user, I don't get a ticket at all. In /var/log/auth.log I found this passage: sshd[1064]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'KEYRING:persistent:UID' sshd[1413]: pam_winbind(sshd:auth): enabling krb5 login flag sshd[1413]: pam_winbind(sshd:auth): enabling cached login flag sshd[1413]: pam_winbind(sshd:auth): enabling request for a KEYRING:persistent:UID krb5 ccache sshd[1413]: pam_winbind(sshd:auth): request wbcLogonUser succeeded sshd[1413]: pam_winbind(sshd:auth): user 'user' granted access sshd[1413]: pam_winbind(sshd:auth): Returned user was 'user' sshd[1413]: pam_winbind(sshd:auth): [pamh: 0x5610ed0b9e00] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) sshd[1413]: Accepted password for user from 129.206.201.242 port 48370 ssh2 sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER: pam_sm_setcred (flags: 0x0002) sshd[1413]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[1413]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) sshd[1413]: pam_unix(sshd:session): session opened for user user(uid=10793) by (uid=0) systemd-logind[425]: New session 5 of user user. sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] ENTER: pam_sm_setcred (flags: 0x0002) sshd[1425]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[1425]: pam_winbind(sshd:setcred): [pamh: 0x5610ed0b9e00] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) The suspicious line might be PAM_ESTABLISH_CRED not implemented, but I switched it back to FILE and there was the same line: sshd[1060]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' sshd[1060]: pam_winbind(sshd:auth): enabling krb5 login flag sshd[1060]: pam_winbind(sshd:auth): enabling cached login flag sshd[1060]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache sshd[1060]: pam_winbind(sshd:auth): request wbcLogonUser succeeded sshd[1060]: pam_winbind(sshd:auth): user 'user' granted access sshd[1060]: pam_winbind(sshd:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10793 sshd[1060]: pam_winbind(sshd:auth): Returned user was 'user' sshd[1060]: pam_winbind(sshd:auth): [pamh: 0x55bd0c32fe00] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) sshd[1060]: Accepted password for user from 129.206.201.242 port 48372 ssh2 sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] ENTER: pam_sm_setcred (flags: 0x0002) sshd[1060]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[1060]: pam_winbind(sshd:setcred): [pamh: 0x55bd0c32fe00] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) I found an old discussion about this topic (https://lists.samba.org/archive/samba/2020-August/231254.html) but there were no further answers. Is there someone successfully using this option? Best regards Christian
On Mon, 2022-09-12 at 12:39 +0200, Christian Merten via samba wrote:> Hello everybody, > > I tried to get rid of credential caches stored in temporary files. So I > found the pam_winbind option krb5_ccache_type. Originally this was set > to FILE, so I set it to KEYRING. But when I now login into my user, I > don't get a ticket at all.Does this work with other tools like sssd? ?I ask because that might indicate the correct programming tricks to make this work.? The issue as I see it is that pam_winbindd doesn't get the ticket, winbindd does, operating on the other side of a unix domain socket and assuming it is compiled with MIT kerberos, it can set into a KEYRING, but why would it be the same kernel keyring as the pam_winbindd process? The file-based options work because a seteuid() is enough to have the file written by the right owner, but unless somehow winbindd is put into the login session for a bit, why would it be in the right session? Andrew Bartlett --? Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba