samba - Nov 2010 - Getting no ticket cache from pam_winbind

Hi all,

I'm trying to get pam_winbind to create ticket cache on login if the AD is
available.

Please note that this is an Ubuntu Lucid system.

When trace this with wireshark it receives a TGT ticket for the user.
The current solution is to use pam_krb5 before attempting winbind. That gives me
a ticket cache.
The main problem is that if the user enters the wrong password it does two login
attempts with
the same credentials (or I have to do a messy config in pam).

----- /etc/pam.d/common-auth -----
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    [default=done]          pam_afs_session.so
------


Best regards

Emil Assarsson
Sony Ericsson Mobile Communications AB

"The information in this email, and attachment(s) thereto, is strictly
confidential and may be legally privileged. It is intended solely for the named
recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone
else is unauthorized. Violations hereof may result in legal actions. Any
attachment(s) to this e-mail has been checked for viruses, but please rely on
your own virus-checker and procedures. If you contact us by e-mail, we will
store your name and address to facilitate communications in the matter
concerned. If you do not consent to us storing your name and address for above
stated purpose, please notify the sender promptly. Also, if you are not the
intended recipient please inform the sender by replying to this transmission,
and delete the e-mail, its attachment(s), and any copies of it without,
disclosing it."

Hi again,

According to the man files it should work but I don't even getting close to
solving this issue :-/
I have maxed out logging but nothing seems to have anything to do with this.
I have tried to run "strace su - username" and on winbindd process and
I can't see anything that even tries to write a krb5cc.

What part of the system should create to cc files?
Can anyone please give me a hint how I can trace this problem?


BR
Emil Assarsson


-----Original Message-----
From: Assarsson, Emil 
Sent: m?ndag den 29 november 2010 16:13
To: samba at lists.samba.org
Subject: Getting no ticket cache from pam_winbind

Hi all,

I'm trying to get pam_winbind to create ticket cache on login if the AD is
available.

Please note that this is an Ubuntu Lucid system.

When trace this with wireshark it receives a TGT ticket for the user.
The current solution is to use pam_krb5 before attempting winbind. That gives me
a ticket cache.
The main problem is that if the user enters the wrong password it does two login
attempts with
the same credentials (or I have to do a messy config in pam).

----- /etc/pam.d/common-auth -----
# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    [default=done]          pam_afs_session.so
------


Best regards

Emil Assarsson
Sony Ericsson Mobile Communications AB

"The information in this email, and attachment(s) thereto, is strictly
confidential and may be legally privileged. It is intended solely for the named
recipient(s), and access to this e-mail, or any attachment(s) thereto, by anyone
else is unauthorized. Violations hereof may result in legal actions. Any
attachment(s) to this e-mail has been checked for viruses, but please rely on
your own virus-checker and procedures. If you contact us by e-mail, we will
store your name and address to facilitate communications in the matter
concerned. If you do not consent to us storing your name and address for above
stated purpose, please notify the sender promptly. Also, if you are not the
intended recipient please inform the sender by replying to this transmission,
and delete the e-mail, its attachment(s), and any copies of it without,
disclosing it."