search for: krb5_ccache_type

...--------------------------------------------------------- And finally PAM configuration (only winbind related stuffs): --------------------------------------------------------------------- /etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth:session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth-ac:session option...

...--------------------------------- > > And finally PAM configuration (only winbind related stuffs): > --------------------------------------------------------------------- > /etc/pam.d/fingerprint-auth:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth:session optional pam_winbind.so > krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-a...

Hi Jonathan, Thank you for that, that solved the issue. Unfortunately I get another issue: on one DC id <user> gives "no such user". Adding domain (id ad.domain\\<user>) does not help. Adding the whole domain (id ad.domain.tld\\<user>) does not help more. I did checked PAM, NSS and Samba configurations, this server is using same configurations as the two working DC.

Hi all, I have a problem in libpam-winbind: offline logon doesn't seems to work. The first version of samba in which I have found the problem is 4.1 and the last is 4.7 but I fear that newer version are affected too. Hopefully there is a workaround: you have to remove krb5_ccache_type=FILE from /etc/pam.d/common-auth I have opened a bug report[¹] where you can find more details. Any one have the same problem? Piviul [¹] https://bugzilla.samba.org/show_bug.cgi?id=10455

...The same configuration happen on Debian stretch (at least). I've effectively test offline logon in the past, but with a sub-5 minutes delay from latest connected logon. A note: the manpage for pam_winbind and pam_winbind.conf area bit different; the latter seems more complete and say: krb5_ccache_type = [type] When pam_winbind is configured to try kerberos authentication by enabling the krb5_auth option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of credential cache can be controlled with this option. The supported values are: KE...

...he distro packages to fix the winbind part. First install libpam-krb5, then create a file: /usr/share/pam-configs/winbind containing this: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] p...

...fline logon = yes winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes ------ common-auth ------auth? ? [success=2 default=ignore]? ? ? pam_unix.so nullok_secureauth? ? [success=1 default=ignore]? ? ? pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth? ? requisite? ? ? ? ? ? ? ? ? ? ? ?pam_deny.soauth? ? required? ? ? ? ? ? ? ? ? ? ? ? pam_permit.so ------ pam_winbind.conf ------[global] krb5_auth = yes krb5_ccache_type = FILE cached_login = yes silent = no ------ some tests ------# net ads testjoinJoin is O...

...es /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE debug auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account requ...

...winbind(sshd:auth): getting password (0x00001189) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): pam_get_item returned a password Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): Verify user 'georg' Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling krb5 login flag Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_...

...lib/x86_64-linux-gnu/security/pam_winbind.so Then run 'ldconfig' You will also have to create a file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] p...

...min domain uid = 0 > winbind offline logon = Yes > winbind request timeout = 10 > > /etc/security/pam_winbind.conf > [global] > cached_login = Yes > #krb5_auth = Yes # <= Commented since it's part of > /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since > it's part of /etc/pam.d/common-auth You do not need /etc/security/pam_winbind.conf if the settings are in /etc/pam.d/common-auth (which they are on Debian by default). > > /etc/pam.d/common-auth > # > # /etc/pam.d/common-auth - authentication...

...>> My host is joined to AD and I can login to my host fine using my AD >> credentials via SSH.?? The only issue is that I don't get a Kerberos >> ticket generated. >> >> In /etc/security/pam_winbind.conf I have: >> >> krb5_auth = yes >> >> krb5_ccache_type = KEYRING >> >> In /etc/krb5.conf, I also have: >> >> default_ccache_name = KEYRING:persistent:%{uid} >> >> Using wbinfo -K jas, then entering my password,? I see: >> >> plaintext kerberos password authentication for [jas] succeeded >> (request...

...; min domain uid = 0 > > winbind offline logon = Yes > > winbind request timeout = 10 > > > > /etc/security/pam_winbind.conf > > [global] > > cached_login = Yes > > #krb5_auth = Yes # <= Commented since it's part of > > /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since > > it's part of /etc/pam.d/common-auth > > > You do not need /etc/security/pam_winbind.conf if the settings are in > /etc/pam.d/common-auth (which they are on Debian by default). > > > /etc/pam.d/common-auth > > # > > # /...

...ernet-samba-libs, except for the pam config file: > > /usr/share/pam-configs/winbind > > Name: Winbind NT/Active Directory authentication > Default: yes > Priority: 192 > Auth-Type: Primary > Auth: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > Auth-Initial: > [success=end default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login > Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_winbind.so > Password-Type: Prim...

...vfs objects = acl_xattr min domain uid = 0 winbind offline logon = Yes winbind request timeout = 10 /etc/security/pam_winbind.conf [global] cached_login = Yes #krb5_auth = Yes # <= Commented since it's part of /etc/pam.d/common-auth #krb5_ccache_type = FILE # <= Commented since it's part of /etc/pam.d/common-auth /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modul...

...ackages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_...

...er.txt) according to rowlands suggestion: local master = no server string = Samba 4 Client %h Once again I did tests of 1, 2 & 3 but ended up with the same results (I even deleted pam_winbind.conf again as described within 3) What I did NOT do was changing the the value of "krb5_ccache_type=FILE" to "krb5_ccache_type" within /etc/pam.d/common-auth as described as "workaround" within https://lists.samba.org/archive/samba/2019-February/221157.html since from conversation there I understood that this seems not to be correct way to handle the error. *My confi...

I'm experimenting with smb + winbind. My host is joined to AD and I can login to my host fine using my AD credentials via SSH.?? The only issue is that I don't get a Kerberos ticket generated. In /etc/security/pam_winbind.conf I have: krb5_auth = yes krb5_ccache_type = KEYRING In /etc/krb5.conf, I also have: default_ccache_name = KEYRING:persistent:%{uid} Using wbinfo -K jas, then entering my password,? I see: plaintext kerberos password authentication for [jas] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_1004 [It writes...

...ackages, but most of the contents of those two packages are in sernet-samba-libs, except for the pam config file: /usr/share/pam-configs/winbind Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_...

...the subject he or she would care to share? > > MJ > OK, create a file called /usr/share/pam-configs/winbind containing this: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end d...