samba - Oct 2025 - KRB5 pam_winbind using KEYRING does not work

Your config looks basically identical to my one.

 > I run Debian as standard, so normally the kerberos cache goes into
 > /tmp
 > and just works, but it should work.

Actually yes, using files it works out of the box. But not when using 
KEYRING.


 > so I set that up using your
 > /etc/security/pam_winbind.conf settings and added
 > 'default_ccache_name = KEYRING:persistent:%{uid}' to the
 > '[libdefaults]' section of the /etc/krb5.conf file.

Actually as soon as I insert "krb5_ccache_type = KEYRING" into ghe 
GLobal section of /etc/security/pam_winbind.conf then winbind fails to 
create the cache entries in KEYRING. There is also no KRB5CCNAME 
variable defined.


 > I logged in and ran this: echo "$KRB5CCNAME"

Are you by any chance also having pam_krb5.so enabled in your PAM 
configuration? If yes, then it is perhaps not pam_winbind.so setting 
KRB5CCNAME but pam_krb5 instead.

Yes I can do this and it works fine using pam_krb5 but purely using 
pam_winbind it does not.

It should not be required to run pam_krb5 before invoking pam_winbind in 
order to set the KRB5CCNAME and somehow force pam_winbind to use the 
KEYRING.

I will do some more tests with and without pam_krb5 enabled. But I was 
unable yet to convince pam_winbind to write anything to the keyring. 
Even if I manually set KRB5CCNAME=KEYRING:persistent:<UID> it is simply 
empty. So pam_winbind does not populate it.

br,
Rainer

On Tue, 28 Oct 2025 18:08:26 +0100
Rainer Meier via samba <samba at lists.samba.org> wrote:
> Your config looks basically identical to my one.
> 
>  > I run Debian as standard, so normally the kerberos cache goes into
>  > /tmp
>  > and just works, but it should work.
> 
> Actually yes, using files it works out of the box. But not when using 
> KEYRING.
> 
> 
>  > so I set that up using your
>  > /etc/security/pam_winbind.conf settings and added
>  > 'default_ccache_name = KEYRING:persistent:%{uid}' to the
>  > '[libdefaults]' section of the /etc/krb5.conf file.
> 
> Actually as soon as I insert "krb5_ccache_type = KEYRING" into
ghe
> GLobal section of /etc/security/pam_winbind.conf then winbind fails
> to create the cache entries in KEYRING. There is also no KRB5CCNAME 
> variable defined.
> 
> 
>  > I logged in and ran this: echo "$KRB5CCNAME"
> 
> Are you by any chance also having pam_krb5.so enabled in your PAM 
> configuration? If yes, then it is perhaps not pam_winbind.so setting 
> KRB5CCNAME but pam_krb5 instead.
If you are referring to libpam-krb5, then my first thought was, I
will have to check, until I remembered, redhat stopped providing it,
so no, I am not using it.
> 
> Yes I can do this and it works fine using pam_krb5 but purely using 
> pam_winbind it does not.
> 
> It should not be required to run pam_krb5 before invoking pam_winbind
> in order to set the KRB5CCNAME and somehow force pam_winbind to use
> the KEYRING.
It isn't, I found this out quite a few years ago.
> 
> I will do some more tests with and without pam_krb5 enabled. But I
> was unable yet to convince pam_winbind to write anything to the
> keyring. Even if I manually set KRB5CCNAME=KEYRING:persistent:<UID>
> it is simply empty. So pam_winbind does not populate it.
> 
Looks like I will have to install Arch.

Rowland