samba - Oct 2025 - KRB5 pam_winbind using KEYRING does not work

On Wed, 29 Oct 2025 08:32:44 +0100
Rainer Meier via samba <samba at lists.samba.org> wrote:
> 
>  > So It works for myself on two different distros (and without
>  > libpam-krb5).
>  > So it looks like it is an Arch problem.
> 
> OK, I will have to go through so me more testing.
> In regards to ARCH installation. I am actually also using EndeavourOS 
> (EOS) on my side. It's very quick to install and providing quite
> "pure" ARCH Linux experience. Manjaro might be just as good.
> 
> I don't want to waste more of your time. Thanks for tracking it down
> on other distros. I will do some more testing on ARCH and potential
> other platforms before coming back here.
> 
> Thank you!
> 
> Rainer
> 
I now know what is happening, but not why.

If I log into a Debian computer, I get a kerberos ticket, the
'KRB5CCNAME' is set in 'env' and klist shows the ticket. None of
that
occurs on EndeavourOS (yes I managed to install it), but if you run
'kinit' you get a ticket. I have no idea why it doesn't work like
Debian (presumably RL10 works the same, but I haven't checked).

Rowland

> I now know what is happening, but not why.
 > If I log into a Debian computer, I get a kerberos ticket, the
 > 'KRB5CCNAME' is set in 'env' and klist shows the ticket.
None of that
 > occurs on EndeavourOS (yes I managed to install it), but if you run
 > 'kinit' you get a ticket. I have no idea why it doesn't work
like
 > Debian (presumably RL10 works the same, but I haven't checked).

Many thanks for going the (long) extra mile to even install EOS.
I also figured out that KEYRING actually is working but somehow 
pam_winbind seems not to be able to store the cache in KEYRING on login 
at all. When using kinit it works and also klist is showing keyring 
contents. Even after logging off and back on klist will keep the caches.

However when using kdestroy and logging off and back on I would assume 
there is new caches put on the keyring but it does not happen.

So currently I don't know how to dig deeper and gave up; returning to 
file caches.

I also tried to run older versions of krb5 (well, at least 1.20) at no 
avail. I am not experienced in PAM debugging and could not identify any 
further issues yet. Unless this is some coincidence with newer kernel 
versions as EOS/ARCH is on 6.17.5 now unless witched to LTS (6.12.56 
currently) kernels. Well, I might give this a try.
Though I am not expecting it to work as KEYRING in general seems OK as 
proven by kinit successfully populating keyring.

Thanks again for your feedback!

Rainer