search for: krb5_auth

...------------------------------------------------------------------- And finally PAM configuration (only winbind related stuffs): --------------------------------------------------------------------- /etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth:session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth-ac:s...

...------------------------------------------- > > And finally PAM configuration (only winbind related stuffs): > --------------------------------------------------------------------- > /etc/pam.d/fingerprint-auth:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth:session optional pam_winbind.so > krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING > /etc/pa...

Hi Jonathan, Thank you for that, that solved the issue. Unfortunately I get another issue: on one DC id <user> gives "no such user". Adding domain (id ad.domain\\<user>) does not help. Adding the whole domain (id ad.domain.tld\\<user>) does not help more. I did checked PAM, NSS and Samba configurations, this server is using same configurations as the two working DC.

Hey list, I'm wondering if there is any advantage to be gained by using kerberos with pam_winbind. I've configured pam_winbind and enabled krb5_auth though apart from being granted a ticket, I'm unsure as to any advantage that would be gained by enabling Kerberos. Thanks, Matt Delves -- --------------------------------------------- Matthew Delves System Administrator Information Systems Networks & Infrastructure University of Ballara...

...em (which I will call LOCALDOM in the following) and the domain containing the user accounts (which I will call TRUSTEDDOM in the following). The domain controllers run Windows Server 2012. Beginning with samba 4.4 we have an issue with authentication through pam_winbind on the Linux clients when krb5_auth is enabled in pam_winbind.conf (which worked in samba 4.2). Login to the Linux systems always fails with "No logon servers". The situation can also be reproduced with "wbinfo -K". On samba >= 4.4 (tested on SLES12SP3 and RHEL7): # wbinfo -K TRUSTEDDOM\\myaccount Enter TRUS...

...alot of things, but basically, >all the code that matters is in source/passdb/pass_check.c. > >I've got local patches that make it work with aklog as well, but other >than that I'm pretty much running the same code. > >You might take a look at config.h and make sure that KRB5_AUTH was >defined. That will tell you. You can also try adding some debugging to >pass_check.c, since it currently doesn't say anything about kerberos in >the logs. > ><more below> > >Richard Kandarian wrote: >> >> Nathan, >> >> I'd really lik...

...install the distro packages to fix the winbind part. First install libpam-krb5, then create a file: /usr/share/pam-configs/winbind containing this: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end...

...Login again, do have still have the time message, if yes.. No change, message still there. Even with the other DC switched off (the one with FSMO roles). > > Check : > /etc/pam.d/common-auth > You should see a line like : > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > > Change that one to > auth [success=1 default=ignore] pam_winbind.so krb5_auth try_first_pass > Try again, put it back again after a successull login without messages. > Done, that but still get the warning even with...

...winbind offline logon = yes winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes ------ common-auth ------auth? ? [success=2 default=ignore]? ? ? pam_unix.so nullok_secureauth? ? [success=1 default=ignore]? ? ? pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth? ? requisite? ? ? ? ? ? ? ? ? ? ? ?pam_deny.soauth? ? required? ? ? ? ? ? ? ? ? ? ? ? pam_permit.so ------ pam_winbind.conf ------[global] krb5_auth = yes krb5_ccache_type = FILE cached_login = yes silent = no ------ some tests ------# net ads...

...nbind.so /lib/x86_64-linux-gnu/security/pam_winbind.so Then run 'ldconfig' You will also have to create a file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end...

...= Yes > store dos attributes = Yes > vfs objects = acl_xattr > min domain uid = 0 > winbind offline logon = Yes > winbind request timeout = 10 > > /etc/security/pam_winbind.conf > [global] > cached_login = Yes > #krb5_auth = Yes # <= Commented since it's part of > /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since > it's part of /etc/pam.d/common-auth You do not need /etc/security/pam_winbind.conf if the settings are in /etc/pam.d/common-auth (which they are on Debian...

...upgrading samba i found ftp pam authentication not working > > /etc/pam.d/ftp contains > > #%PAM-1.0 > auth sufficient /lib/security/pam_smbpass.so > auth sufficient /lib/security/pam_winbind.so cached_login > auth required /lib/security/pam_winbind.so krb5_auth > account required /lib/security/pam_nologin.so > account sufficient /lib/security/pam_smbpass.so > account required /lib/security/pam_winbind.so > password sufficient /lib/security/pam_smbpass.so > password required /lib/security/pam_winbind.so > sess...

...herit = Yes > > store dos attributes = Yes > > vfs objects = acl_xattr > > min domain uid = 0 > > winbind offline logon = Yes > > winbind request timeout = 10 > > > > /etc/security/pam_winbind.conf > > [global] > > cached_login = Yes > > #krb5_auth = Yes # <= Commented since it's part of > > /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since > > it's part of /etc/pam.d/common-auth > > > You do not need /etc/security/pam_winbind.conf if the settings are in > /etc/pam.d/common-auth (whic...

...sage, if yes.. > > No change, message still there. Even with the other DC switched off > (the one with FSMO roles). > > > > > Check : > > /etc/pam.d/common-auth > > You should see a line like : > > auth [success=1 default=ignore] pam_winbind.so krb5_auth > > krb5_ccache_type=FILE cached_login try_first_pass > > > > Change that one to > > auth [success=1 default=ignore] pam_winbind.so krb5_auth > > try_first_pass Try again, put it back again after a successull > > login without messages. > > > D...

...s > are in sernet-samba-libs, except for the pam config file: > > /usr/share/pam-configs/winbind > > Name: Winbind NT/Active Directory authentication > Default: yes > Priority: 192 > Auth-Type: Primary > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so >...

...config samdom:backend=ad map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr min domain uid = 0 winbind offline logon = Yes winbind request timeout = 10 /etc/security/pam_winbind.conf [global] cached_login = Yes #krb5_auth = Yes # <= Commented since it's part of /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since it's part of /etc/pam.d/common-auth /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is inclu...

...e please clarify? Also, it's not clear whether it is even necessary for me to adjust the ticket_lifetime or whether winbind will? renew the ticket until the expiry time automatically (and hence the ticket lifetime isn't such a big deal).?? Note that in the man page for pam_winbind.conf, krb5_auth option says: "When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by? refreshing it whenever necessary. Defaults to "no".? However, there's no option "winbind refresh tickets" in the m...

...e sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end def...

Hi Rowland, Yes, Joined to the domain, ftp uses pam authentication. After upgrading samba On Fri, Oct 9, 2015 at 8:08 PM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote: > On 09/10/15 15:28, VigneshDhanraj G wrote: > >> Hi Rowland, >> >> I updated samba from 40.25 to 4.1.20, now ftp is not working. >> >> > Very cryptic, why isn't ftp

...e sernet packages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end def...