samba - Jul 2020 - kerberos ticket on login problem

I'm experimenting with smb + winbind.

My host is joined to AD and I can login to my host fine using my AD 
credentials via SSH.?? The only issue is that I don't get a Kerberos 
ticket generated.

In /etc/security/pam_winbind.conf I have:

krb5_auth = yes

krb5_ccache_type = KEYRING

In /etc/krb5.conf, I also have:

default_ccache_name = KEYRING:persistent:%{uid}

Using wbinfo -K jas, then entering my password,? I see:

plaintext kerberos password authentication for [jas] succeeded 
(requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_1004

[It writes the keyring to a file even though I've specified KEYRING.? I 
don't know if wbinfo automatically writes to FILE or whether it reads 
pam_winbind.conf and should be writing to KEYRING).

If I remove the file, and ssh to the system, I don't get a Kerberos ticket.

I know the pam_winbind.conf file is being read on login because the 
"require_membership_of" line I'm using works.

Any thoughts?

Jason.

On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
> I'm experimenting with smb + winbind.
>
> My host is joined to AD and I can login to my host fine using my AD 
> credentials via SSH.?? The only issue is that I don't get a Kerberos 
> ticket generated.
>
> In /etc/security/pam_winbind.conf I have:
>
> krb5_auth = yes
>
> krb5_ccache_type = KEYRING
>
> In /etc/krb5.conf, I also have:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> Using wbinfo -K jas, then entering my password,? I see:
>
> plaintext kerberos password authentication for [jas] succeeded 
> (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_1004
>
> [It writes the keyring to a file even though I've specified KEYRING.? 
> I don't know if wbinfo automatically writes to FILE or whether it 
> reads pam_winbind.conf and should be writing to KEYRING).
>
> If I remove the file, and ssh to the system, I don't get a Kerberos 
> ticket.
>
> I know the pam_winbind.conf file is being read on login because the 
> "require_membership_of" line I'm using works.
>
> Any thoughts?
>
> Jason
By the way, just to add,? /etc/pam.d/password-auth and 
/etc/pam.d/system-auth both look like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth??????? required????? pam_env.so
auth??????? required????? pam_faildelay.so delay=2000000
auth??????? sufficient??? pam_unix.so nullok try_first_pass
auth??????? requisite???? pam_succeed_if.so uid >= 1000 quiet_success
auth??????? sufficient??? pam_winbind.so cached_login use_first_pass
auth??????? required????? pam_deny.so
account???? required????? pam_unix.so broken_shadow
account???? sufficient??? pam_localuser.so
account???? sufficient??? pam_succeed_if.so uid < 1000 quiet
account???? [default=bad success=ok user_unknown=ignore] pam_winbind.so 
cached_login
account???? required????? pam_permit.so
password??? requisite???? pam_pwquality.so try_first_pass 
local_users_only retry=3 authtok_typepassword??? sufficient??? pam_unix.so
sha512 shadow nullok
try_first_pass use_authtok
password??? sufficient??? pam_winbind.so use_authtok
password??? required????? pam_deny.so
session???? optional????? pam_keyinit.so revoke
session???? required????? pam_limits.so
-session???? optional????? pam_systemd.so
session???? optional????? pam_oddjob_mkhomedir.so umask=0077
session???? [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session???? required????? pam_unix.so
session???? optional????? pam_winbind.so cached_login

Jason.

On 7/28/2020 4:11 PM, Jason Keltz wrote:
>
> On 7/28/2020 3:59 PM, Jason Keltz via samba wrote:
>> I'm experimenting with smb + winbind.
>>
>> My host is joined to AD and I can login to my host fine using my AD 
>> credentials via SSH.?? The only issue is that I don't get a
Kerberos
>> ticket generated.
>>
>> In /etc/security/pam_winbind.conf I have:
>>
>> krb5_auth = yes
>>
>> krb5_ccache_type = KEYRING
>>
>> In /etc/krb5.conf, I also have:
>>
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> Using wbinfo -K jas, then entering my password,? I see:
>>
>> plaintext kerberos password authentication for [jas] succeeded 
>> (requesting cctype: FILE)
>> credentials were put in: FILE:/tmp/krb5cc_1004
>>
>> [It writes the keyring to a file even though I've specified
KEYRING.?
>> I don't know if wbinfo automatically writes to FILE or whether it 
>> reads pam_winbind.conf and should be writing to KEYRING).
>>
>> If I remove the file, and ssh to the system, I don't get a Kerberos
>> ticket.
>>
>> I know the pam_winbind.conf file is being read on login because the 
>> "require_membership_of" line I'm using works.
>>
>> Any thoughts?
>>
>> Jason
>
> By the way, just to add,? /etc/pam.d/password-auth and 
> /etc/pam.d/system-auth both look like this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth??????? required????? pam_env.so
> auth??????? required????? pam_faildelay.so delay=2000000
> auth??????? sufficient??? pam_unix.so nullok try_first_pass
> auth??????? requisite???? pam_succeed_if.so uid >= 1000 quiet_success
> auth??????? sufficient??? pam_winbind.so cached_login use_first_pass
> auth??????? required????? pam_deny.so
> account???? required????? pam_unix.so broken_shadow
> account???? sufficient??? pam_localuser.so
> account???? sufficient??? pam_succeed_if.so uid < 1000 quiet
> account???? [default=bad success=ok user_unknown=ignore] 
> pam_winbind.so cached_login
> account???? required????? pam_permit.so
> password??? requisite???? pam_pwquality.so try_first_pass 
> local_users_only retry=3 authtok_type> password??? sufficient???
pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password??? sufficient??? pam_winbind.so use_authtok
> password??? required????? pam_deny.so
> session???? optional????? pam_keyinit.so revoke
> session???? required????? pam_limits.so
> -session???? optional????? pam_systemd.so
> session???? optional????? pam_oddjob_mkhomedir.so umask=0077
> session???? [success=1 default=ignore] pam_succeed_if.so service in 
> crond quiet use_uid
> session???? required????? pam_unix.so
> session???? optional????? pam_winbind.so cached_login

I noticed that wbinfo has a --krb5ccname arg so I tried:

% klist
klist: Credentials cache keyring 'persistent:1004:1004' not found
% /xsys/pkg/samba/bin/wbinfo --krb5ccname="KEYRING" -K jas
Enter jas's password:
plaintext kerberos password authentication for [jas] succeeded 
(requesting cctype: KEYRING)
brayden 305 % klist
klist: Credentials cache keyring 'persistent:1004:1004' not found

I also enabled extended debugging and during login:
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] ENTER: 
> pam_sm_authenticate (flags: 0x0000)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER) 
> = "jas" (0xb4fd60)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) = 
> "xrdp-sesman" (0xb4d6a0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_AUTHTOK) = 0xb4fd80
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV) 
> = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): getting password (0x000013d1)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): Verify user 'jas'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): CONFIG file: require_membership_of 
> 'EECSYORKUCA\hc_research'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): CONFIG file: krb5_ccache_type
'KEYRING'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): enabling krb5 login flag
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): enabling cached login flag
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): enabling request for a KEYRING krb5 ccache
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): no sid given, looking up: 
> EECSYORKUCA\hc_research
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): request wbcLogonUser succeeded
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): user 'jas' granted access
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): Returned user was 'jas'
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] LEAVE: 
> pam_sm_authenticate returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER) 
> = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) = 
> "xrdp-sesman" (0xb4d6a0)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_AUTHTOK) = 0xb4fd80
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_CONV) 
> = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[1652]: 
> pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] ENTER: 
> pam_sm_setcred (flags: 0x0002)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): PAM_ESTABLISH_CRED not implemented
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] LEAVE: 
> pam_sm_setcred returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:setcred): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] ENTER: 
> pam_sm_open_session (flags: 0x0000)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] LEAVE: 
> pam_sm_open_session returning 0 (PAM_SUCCESS)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_USER) = "jas" (0xb52510)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_TTY) = ":15" (0xb4c9f0)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> ITEM(PAM_CONV) = 0xb47530
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_HOMEDIR) = "\\PCSERVER1\homes" (0xb52e00)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSCRIPT) = "default.bat" (0xb52e80)
> Jul 29 09:33:53 brayden xrdp-sesman[2936]: 
> pam_winbind(xrdp-sesman:session): [pamh: 0xb4cac0] STATE: 
> DATA(PAM_WINBIND_LOGONSERVER) = "DC1" (0xb54280)
If I removed default_ccache_name from /etc/krb5.conf and set 
krb5_ccache_type = FILE in pam_winbind.conf, and that worked.

Albeit, I'm running an older version of Samba at this moment (4.10), and 
it's possible KEYRING doesn't work here.? I thought it was valid.
Rowland?

Now, when I login to a system, I get the Kerberos ticket. However, if I 
ssh to another system, the ticket doesn't transfer.

I see something interesting on the last comment on this? page: 
https://forums.centos.org/viewtopic.php?t=59441

The last comment: " It was necessary in the computer account properties 
centos on a domain controller to include a tick "Trust this computer for 
delegation to any service."".? I wonder if this is the solution, but 
it's not clear what this does or how I do this with Samba CLI. I need 
the Kerberos ticket to transfer with SSH (yes, the SSH client and server 
config allows GSSAPI).

Jason.