The Samba-Bugzilla – Bug 10132
pam_winbindd should support the KEYRING ccache type
Last modified: 2014-09-07 20:18:06 UTC
A new, kernel-keyring based credential cache is being added to libkrb5 and used by default in RHEL 7.0 and Fedora 20.
We should add support for it in pam_winbind.
Created attachment 9201 [details]
v4-0-test and v4-1-test patch
I do not think we should remove the DIR shortcut, but as you think is best.
For Best support of arbitrary ccache types, we should really start looking into using default_ccache_name into [libdefaults] in krb5.conf using the profile library. And stop having to configure specially pam_winbindd, this way admins have a single place on the system where to make changes.
I will look into that and add that. Maybe change the default in Samba 4.2, but we still need to support the others stuff or heimdal and older MIT releases.
Comment on attachment 9201 [details]
v4-0-test and v4-1-test patch
Simo, I think yes, we should add the auto-retrieval via libdefaults parsing as a new feature next.
Karolin, please add to 4.0 and 4.1! Thanks!
Pushed to autobuild-v4-1-test, too late for 4.0.10.
Pushed to v4-1-test.
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test.
Closing out bug report.
This feature appears to be incomplete. Changing the ccache type to KEYRING in /etc/security/pam_winbind.conf in an otherwise working configuration results in:
[2014/09/04 12:07:22.628028, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1113(winbindd_dual_pam_auth_kerberos)
[2014/09/04 12:07:22.628109, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:531(generate_krb5_ccache)
using ccache: KEYRING:persistent:<UID>
[2014/09/04 12:07:22.628210, 10, pid=8781, effective(<UID>, 0), real(<UID>, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:642(winbindd_raw_kerberos_login)
winbindd_raw_kerberos_login: uid is <UID>
[2014/09/04 12:07:22.628468, 3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:729(winbindd_raw_kerberos_login)
winbindd_raw_kerberos_login: could not destroy krb5 credential cache: Unknown credential cache type
[2014/09/04 12:07:22.628528, 3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:735(winbindd_raw_kerberos_login)
winbindd_raw_kerberos_login: could not remove ccache for user <DOMAIN>\<username>
[2014/09/04 12:07:22.628573, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1683(winbindd_dual_pam_auth)
winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL
[2014/09/04 12:07:22.628619, 3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1712(winbindd_dual_pam_auth)
falling back to samlogon
How tested: sernet-samba-4.1.11 on SL 6.5 with kernel-ml 3.16.1 from elrepo-kernel. Test that configuration works with,
krb5_ccache_type = FILE
Then change configuration to,
krb5_ccache_type = KERNEL
Stop samba daemons, remove *tdb files from /var/lib/samba and /var/cache/samba, restart daemons. Plaintext logon with a domain account results in the above failure pattern.
kinit is able to store KEYRING caches that are readable with klist.
Note that the parameter, default_ccache_name, in the libdefaults section of krb5.conf was not introduced till 1.11, so it is helpful to be able to configure the ccache "type", for now.
Also, it would be useful if smbclient -k, etc. would use the cache location -- FILE or KEYRING -- from /etc/security/pam_winbind.conf.
Please excuse the typo -- "krb5_ccache_type = KEYRING" not "krb5_ccache_type = KERNEL", in the text of my comment 11 below.
The Samba package you're using is built with Heimdal Kerberos and not MIT Kerberos!
Several distributions are using MIT Kerberos implementation as its Kerberos infrastructure of choice. The Samba build in these distributions are using MIT Kerberos implementation in order to allow system-wide interoperability between both desktop and server applications running on the same machine.
As you are mixing Kerberos implementations this will not work ...
See also https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
To make it clear the KEYRING ccache type is working correctly if Samba is built with MIT Kerberos!
Thanks for the swift response, and apologies for not having made the connection before filing the bug report.