samba - Oct 2025 - KRB5 pam_winbind using KEYRING does not work

On Tue, 28 Oct 2025 00:23:30 +0100
Rainer Meier via samba <samba at lists.samba.org> wrote:
> Hello Samba experts
> 
> I am having issues or misunderstanding how to use pam_winbind
> Kerberos storing caches in keyring.
> 
> However performing "klist" after login returning:
> 
> klist: Credentials cache keyring
'persistent:<UID>:<UID>' not found.
> 
> 
> And during logout I see this in the debug log of pam_winbind:
> 
> username [testuser] obtained
> user has no KRB5CCNAME environment
> request wbcLogoffUser succeeded
> user 'testuser' OK
> 
> 
> So either I am missing someting or pam_winbind does not set
> KRB5CCNAME environment variable properly (I checked, it's not set).
> Using pam_krb5 it is set but as of my understanding I don't need
> pam_krb5 in addition to pam_winbind. Or I should not need it.
> 
> To me it looks like pam_winbind is not properly adding the caches to 
> keyring and not setting the KRB5CCNAME variable. Therefore also
> krenew is not working.
> 
I run Debian as standard, so normally the kerberos cache goes into /tmp
and just works, but it should work.

I don't have Samba running on Arch, the nearest I have is a Rocky Linux
10 VM running as a DC, so I set that up using your
/etc/security/pam_winbind.conf settings and added 'default_ccache_name
= KEYRING:persistent:%{uid}' to the '[libdefaults]' section of the
/etc/krb5.conf file.

I logged in and ran this: echo "$KRB5CCNAME"

Which returned this:

KEYRING:persistent:3000016

So I ran 'klist', which returned this:

Ticket cache: KEYRING:persistent:3000016:3000016
Default principal: rowland at AD.HOME.ARPA

Valid starting     Expires            Service principal
28/10/25 10:07:05  28/10/25 20:07:05  RL10$@AD.HOME.ARPA
	renew until 04/11/25 10:07:05
28/10/25 10:07:05  28/10/25 20:07:05  krbtgt/AD.HOME.ARPA at AD.HOME.ARPA
	renew until 04/11/25 10:07:05

I then altered /etc/krb5.conf to add some of your other settings:

[libdefaults]
        default_realm = AD.HOME.ARPA
        dns_lookup_realm = false
        dns_lookup_kdc = true
        default_ccache_name = KEYRING:persistent:%{uid}

[realms]
AD.HOME.ARPA = {
        default_domain = ad.home.arpa
        ticket_lifetime = 7d
        renew_lifetime = 14d
        forwardable = true
        proxiable = false
        minimum_uid = 1
}

[domain_realm]
        rl10 = AD.HOME.ARPA

And logged out and in again, it still worked, try my /etc/krb5.conf
(altered to your REALM etc).

Rowland

Your config looks basically identical to my one.

 > I run Debian as standard, so normally the kerberos cache goes into
 > /tmp
 > and just works, but it should work.

Actually yes, using files it works out of the box. But not when using 
KEYRING.


 > so I set that up using your
 > /etc/security/pam_winbind.conf settings and added
 > 'default_ccache_name = KEYRING:persistent:%{uid}' to the
 > '[libdefaults]' section of the /etc/krb5.conf file.

Actually as soon as I insert "krb5_ccache_type = KEYRING" into ghe 
GLobal section of /etc/security/pam_winbind.conf then winbind fails to 
create the cache entries in KEYRING. There is also no KRB5CCNAME 
variable defined.


 > I logged in and ran this: echo "$KRB5CCNAME"

Are you by any chance also having pam_krb5.so enabled in your PAM 
configuration? If yes, then it is perhaps not pam_winbind.so setting 
KRB5CCNAME but pam_krb5 instead.

Yes I can do this and it works fine using pam_krb5 but purely using 
pam_winbind it does not.

It should not be required to run pam_krb5 before invoking pam_winbind in 
order to set the KRB5CCNAME and somehow force pam_winbind to use the 
KEYRING.

I will do some more tests with and without pam_krb5 enabled. But I was 
unable yet to convince pam_winbind to write anything to the keyring. 
Even if I manually set KRB5CCNAME=KEYRING:persistent:<UID> it is simply 
empty. So pam_winbind does not populate it.

br,
Rainer