Bug 10132 - pam_winbindd should support the KEYRING ccache type
Summary: pam_winbindd should support the KEYRING ccache type
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-10 09:20 UTC by Andreas Schneider
Modified: 2014-09-07 20:18 UTC (History)
3 users (show)

See Also:

Attachments
v4-0-test and v4-1-test patch (4.64 KB, patch)
2013-09-10 13:45 UTC, Andreas Schneider 		gd: review+
asn: review? (idra)
 Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2013-09-10 09:20:28 UTC 
A new, kernel-keyring based credential cache is being added to libkrb5 and used by default in RHEL 7.0 and Fedora 20.

We should add support for it in pam_winbind.
Comment 1 Andreas Schneider 2013-09-10 13:45:30 UTC 
Created attachment 9201 [details]
v4-0-test and v4-1-test patch
Comment 2 Simo Sorce 2013-09-10 14:11:20 UTC 
I do not think we should remove the DIR shortcut, but as you think is best.

For Best support of arbitrary ccache types, we should really start looking into using default_ccache_name into [libdefaults] in krb5.conf using the profile library. And stop having to configure specially pam_winbindd, this way admins have a single place on the system where to make changes.
Comment 3 Andreas Schneider 2013-09-11 08:37:21 UTC 
I will look into that and add that. Maybe change the default in Samba 4.2, but we still need to support the others stuff or heimdal and older MIT releases.
Comment 4 Guenther Deschner 2013-10-02 15:48:59 UTC 
Comment on attachment 9201 [details]
v4-0-test and v4-1-test patch

looks good.
Comment 5 Guenther Deschner 2013-10-02 15:49:39 UTC 
Simo, I think yes, we should add the auto-retrieval via libdefaults parsing as a new feature next.
Comment 6 Andreas Schneider 2013-10-02 15:57:09 UTC 
Karolin, please add to 4.0 and 4.1! Thanks!
Comment 7 Karolin Seeger 2013-10-07 08:29:17 UTC 
Pushed to autobuild-v4-1-test, too late for 4.0.10.
Comment 8 Karolin Seeger 2013-10-08 09:32:32 UTC 
Pushed to v4-1-test.
Comment 9 Karolin Seeger 2013-10-08 09:34:55 UTC 
Pushed to autobuild-v4-0-test.
Comment 10 Karolin Seeger 2013-10-09 06:58:42 UTC 
Pushed to v4-0-test.
Closing out bug report.

Thanks!
Comment 11 Murthy 2014-09-04 17:42:17 UTC 
This feature appears to be incomplete.  Changing the ccache type to KEYRING in /etc/security/pam_winbind.conf in an otherwise working configuration results in:

[2014/09/04 12:07:22.628028, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1113(winbindd_dual_pam_auth_kerberos)
  winbindd_dual_pam_auth_kerberos
[2014/09/04 12:07:22.628109, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:531(generate_krb5_ccache)
  using ccache: KEYRING:persistent:<UID>
[2014/09/04 12:07:22.628210, 10, pid=8781, effective(<UID>, 0), real(<UID>, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:642(winbindd_raw_kerberos_login)
  winbindd_raw_kerberos_login: uid is <UID>
[2014/09/04 12:07:22.628468,  3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:729(winbindd_raw_kerberos_login)
  winbindd_raw_kerberos_login: could not destroy krb5 credential cache: Unknown credential cache type
[2014/09/04 12:07:22.628528,  3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:735(winbindd_raw_kerberos_login)
  winbindd_raw_kerberos_login: could not remove ccache for user <DOMAIN>\<username>
[2014/09/04 12:07:22.628573, 10, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1683(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth_kerberos failed: NT_STATUS_UNSUCCESSFUL
[2014/09/04 12:07:22.628619,  3, pid=8781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_pam.c:1712(winbindd_dual_pam_auth)
  falling back to samlogon


How tested:  sernet-samba-4.1.11 on SL 6.5 with kernel-ml 3.16.1 from elrepo-kernel.  Test that configuration works with,
krb5_ccache_type = FILE

Then change configuration to,
krb5_ccache_type = KERNEL

Stop samba daemons, remove *tdb files from /var/lib/samba and /var/cache/samba, restart daemons.  Plaintext logon with a domain account results in the above failure pattern.

kinit is able to store KEYRING caches that are readable with klist.

Note that the parameter, default_ccache_name, in the libdefaults section of krb5.conf was not introduced till 1.11, so it is helpful to be able to configure the ccache "type", for now.  

Also, it would be useful if smbclient -k, etc. would use the cache location -- FILE or KEYRING -- from /etc/security/pam_winbind.conf.
Comment 12 Murthy 2014-09-04 17:56:27 UTC 
Please excuse the typo -- "krb5_ccache_type = KEYRING" not "krb5_ccache_type = KERNEL", in the text of my comment 11 below.
Comment 13 Andreas Schneider 2014-09-05 07:13:24 UTC 
The Samba package you're using is built with Heimdal Kerberos and not MIT Kerberos!

Several distributions are using MIT Kerberos implementation as its Kerberos infrastructure of choice. The Samba build in these distributions are using MIT Kerberos implementation in order to allow system-wide interoperability between both desktop and server applications running on the same machine.

As you are mixing Kerberos implementations this will not work ...

See also https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/
Comment 14 Andreas Schneider 2014-09-05 07:14:15 UTC 
To make it clear the KEYRING ccache type is working correctly if Samba is built with MIT Kerberos!
Comment 15 Murthy 2014-09-05 16:21:18 UTC 
Thanks for the swift response, and apologies for not having made the connection before filing the bug report.