Rowland penny
2021-Feb-25 15:54 UTC
[Samba] pam_winbind stops working when use_krb5 is enabled
On 25/02/2021 15:41, cn--- via samba wrote:> Am 25.02.21 um 14:35 schrieb Rowland penny via samba: > >> >> You need pam-krb5, which I believe Red-hat has removed in RHEL 8 > > You can do it this way: > > https://access.redhat.com/solutions/4256011 > > The account is free but you need to log in.I have a red-hat account but I can never see anything, but I take it that it is the same as this: https://sssd.io/docs/users/pam_krb5_migration.html If it is, then you are shooting yourself in the foot, the first thing you would have? to do is to remove Samba as you cannot use sssd with Samba. Rowland
Tim Miller
2021-Feb-26 04:20 UTC
[Samba] pam_winbind stops working when use_krb5 is enabled
Thanks for everyone who has weighed in on this. Very annoying that Red Hat decided to do away with pam_krb5. Based on what I'm reading (both here and in other places), the preferred solution is to use realmd to join to a domain rather than samba, which isn't really what I want at all :-). Red Hat does provide instructions for using Samba to join a domain and using SSSD to handle the authentication, but I don't have a RHEL 7 system handy to try them on, so I can't speak for whether or not they work. I do have one question about using pam_krb5 (or pam_sss, if such a thing would ever be possible). Is the basic idea to use pam_krb5 (or pam_sss) to get the Kerberos ticket, which pam_winbind would then use to authenticate the user? Based on the description of the "krb5_auth" parameter in the pam_winbind man page, I thought that the notion is that pam_winbind would go off to the DC and get the Kerberos ticket for me, decrypt it using my password, and then stuff it into whatever ticket cache I've configured. But if we're actually getting the ticket via pam_krb5, then I've clearly misunderstood what role pam_winbind is playing in the whole authentication operation. Thanks again for everyone's assistance here! Tim On Thu, Feb 25, 2021 at 10:55 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 25/02/2021 15:41, cn--- via samba wrote: > > Am 25.02.21 um 14:35 schrieb Rowland penny via samba: > > > >> > >> You need pam-krb5, which I believe Red-hat has removed in RHEL 8 > > > > You can do it this way: > > > > https://access.redhat.com/solutions/4256011 > > > > The account is free but you need to log in. > > > I have a red-hat account but I can never see anything, but I take it > that it is the same as this: > > https://sssd.io/docs/users/pam_krb5_migration.html > > If it is, then you are shooting yourself in the foot, the first thing > you would have to do is to remove Samba as you cannot use sssd with Samba. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >