samba - Apr 2006 - Can pam_winbind be configured to issue Kerberos tickets on user validation?

Hi

I have Samba 3 running on Fedora 4, configured to use pam_winbind to 
validate user logins against my W2K ADS. Logins are fully functional using 
names such as adsdomain.adsuser (I have the fullstop character configured as 
my winbind seperator).

This is all working fine.

What I would now like to do, is to have a Kerberos ticket from the ADS 
Kerberos realm issued to the user that has just logged in, without the user 
having to re-validate themselves using kinit.

The idea is that the ticket would be available to the Linux user for using 
with smbclient, etc without them having to provide credentials that they 
have already provided at login...

I've tried to use the pam_krb5 module, but as pam modules validate the user 
as given, pam_krb5 is trying to match the password to 
adsdomain.adsuser@ADSDOMAIN.REALM....  so it fails.

Is there any way to make pam_winbind issue a Kerberos ticket to the user 
after they have been successfully validated?

My PAM "login" configuration file (which is the same as my
"sshd" file) is
as follows.

--- Top of: /etc/pam.d/login ---
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass likeauth nullok
auth       required     pam_deny.so
auth       required     pam_nologin.so

account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_selinux.so close
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_timestamp.so
session    optional     pam_console.so
session    required     pam_selinux.so multiple open

--- End of: /etc/pam.d/login ----

Thanks for your help!

Jo

--
jT | mail to: hyvan_trant@hotmail.com
** | website: http://www.chiark.greenend.org.uk/~jsturner/

On Sat, Apr 08, 2006 at 10:18:54AM +0000, j T wrote:
> What I would now like to do, is to have a Kerberos ticket from the ADS 
> Kerberos realm issued to the user that has just logged in, without the user
> having to re-validate themselves using kinit.
3.0.23 will have that feature, thanks to G?nther Deschner.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20060410/2796f4f7/attachment.bin