samba - Oct 2025 - KRB5 pam_winbind using KEYRING does not work

On Tue, 28 Oct 2025 17:51:16 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 28 Oct 2025 18:08:26 +0100
> Rainer Meier via samba <samba at lists.samba.org> wrote:
> 
> > Your config looks basically identical to my one.
> > 
> >  > I run Debian as standard, so normally the kerberos cache goes
> >  > into /tmp
> >  > and just works, but it should work.
> > 
> > Actually yes, using files it works out of the box. But not when
> > using KEYRING.
> > 
> > 
> >  > so I set that up using your
> >  > /etc/security/pam_winbind.conf settings and added
> >  > 'default_ccache_name = KEYRING:persistent:%{uid}' to the
> >  > '[libdefaults]' section of the /etc/krb5.conf file.
> > 
> > Actually as soon as I insert "krb5_ccache_type = KEYRING"
into ghe
> > GLobal section of /etc/security/pam_winbind.conf then winbind fails
> > to create the cache entries in KEYRING. There is also no KRB5CCNAME 
> > variable defined.
> > 
> > 
> >  > I logged in and ran this: echo "$KRB5CCNAME"
> > 
> > Are you by any chance also having pam_krb5.so enabled in your PAM 
> > configuration? If yes, then it is perhaps not pam_winbind.so
> > setting KRB5CCNAME but pam_krb5 instead.
> 
> If you are referring to libpam-krb5, then my first thought was, I
> will have to check, until I remembered, redhat stopped providing it,
> so no, I am not using it.
> 
> > 
> > Yes I can do this and it works fine using pam_krb5 but purely using 
> > pam_winbind it does not.
> > 
> > It should not be required to run pam_krb5 before invoking
> > pam_winbind in order to set the KRB5CCNAME and somehow force
> > pam_winbind to use the KEYRING.
> 
> It isn't, I found this out quite a few years ago.
> 
> > 
> > I will do some more tests with and without pam_krb5 enabled. But I
> > was unable yet to convince pam_winbind to write anything to the
> > keyring. Even if I manually set
KRB5CCNAME=KEYRING:persistent:<UID>
> > it is simply empty. So pam_winbind does not populate it.
> > 
> 
> Looks like I will have to install Arch.
And then again, no, not unless Arch comes up with an easy way to
install.

So I went to a Debian VM, added 'default_ccache_name
KEYRING:persistent:%{uid}' to /etc/krb5.conf and changed this line in
/etc/pam.d/common-auth:

auth	[success=1 default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass

To:

auth	[success=1 default=ignore]	pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING cached_login try_first_pass

Logged in and:

echo "$KRB5CCNAME"
KEYRING:persistent:11104

and

klist
Ticket cache: KEYRING:persistent:11104:11104
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
28/10/25 19:16:01  29/10/25 05:16:01  TESTMEM1$@SAMDOM.EXAMPLE.COM
	renew until 04/11/25 19:16:01
28/10/25 19:16:01  29/10/25 05:16:01  krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
	renew until 04/11/25 19:16:01

So It works for myself on two different distros (and without
libpam-krb5).
So it looks like it is an Arch problem.

Rowland

> So It works for myself on two different distros (and without
 > libpam-krb5).
 > So it looks like it is an Arch problem.

OK, I will have to go through so me more testing.
In regards to ARCH installation. I am actually also using EndeavourOS 
(EOS) on my side. It's very quick to install and providing quite
"pure"
ARCH Linux experience. Manjaro might be just as good.

I don't want to waste more of your time. Thanks for tracking it down on 
other distros. I will do some more testing on ARCH and potential other 
platforms before coming back here.

Thank you!

Rainer