Bug 12491 - PAM Winbind kerberos auth requires user access to keytab
PAM Winbind kerberos auth requires user access to keytab
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
unspecified
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
https://lists.samba.org/archive/samba...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-01 21:33 UTC by Evgeny Sinelnikov
Modified: 2017-01-03 14:17 UTC (History)
1 user (show)

See Also:


Attachments
s3-winbind-do-not-delete-an-existing-valid-credential.patch (1019 bytes, patch)
2017-01-01 21:33 UTC, Evgeny Sinelnikov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Sinelnikov 2017-01-01 21:33:54 UTC
Created attachment 12786 [details]
s3-winbind-do-not-delete-an-existing-valid-credential.patch

During login using pam_winbind module via kerberos we got a error for user without access to system or dedicated keytab file.

This problem may be unnoticeable because, after first unsuccessful try, using "falling back to samlogon" method, that works. But winbindd_raw_kerberos_login() always return with fail.

[2016/12/28 15:17:12.162907,  1, pid=21122, effective(10002, 0),
real(10002, 0)]
../source3/librpc/crypto/gse_krb5.c:449(fill_mem_keytab_from_system_keytab)
  ../source3/librpc/crypto/gse_krb5.c:449: krb5_kt_start_seq_get
failed (Permission denied)
[2016/12/28 15:17:12.162930,  1, pid=21122, effective(10002, 0),
real(10002, 0)]
../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab - 13
[2016/12/28 15:17:12.162949,  1, pid=21122, effective(10002, 0),
real(10002, 0)] ../auth/gensec/gensec_start.c:698(gensec_start_mech)
  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/28 15:17:12.162965,  1, pid=21122, effective(10002, 0),
real(10002, 0)] ../source3/libads/authdata.c:274(kerberos_return_pac)
  ../source3/libads/authdata.c:274Failed to start server-side GENSEC
krb5 to validate a Kerberos ticket: NT_STATUS_INTERNAL_ERROR

Not unnoticeable side effect of this error is that credential cache could not be saved for KEYRING type. Applied patch resolve this side effect problem, but not resolve root problem.