Created attachment 12786 [details]
s3-winbind-do-not-delete-an-existing-valid-credential.patch

During login using pam_winbind module via kerberos we got a error for user without access to system or dedicated keytab file.

This problem may be unnoticeable because, after first unsuccessful try, using "falling back to samlogon" method, that works. But winbindd_raw_kerberos_login() always return with fail.

[2016/12/28 15:17:12.162907,  1, pid=21122, effective(10002, 0),
real(10002, 0)]
../source3/librpc/crypto/gse_krb5.c:449(fill_mem_keytab_from_system_keytab)
  ../source3/librpc/crypto/gse_krb5.c:449: krb5_kt_start_seq_get
failed (Permission denied)
[2016/12/28 15:17:12.162930,  1, pid=21122, effective(10002, 0),
real(10002, 0)]
../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab - 13
[2016/12/28 15:17:12.162949,  1, pid=21122, effective(10002, 0),
real(10002, 0)] ../auth/gensec/gensec_start.c:698(gensec_start_mech)
  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/28 15:17:12.162965,  1, pid=21122, effective(10002, 0),
real(10002, 0)] ../source3/libads/authdata.c:274(kerberos_return_pac)
  ../source3/libads/authdata.c:274Failed to start server-side GENSEC
krb5 to validate a Kerberos ticket: NT_STATUS_INTERNAL_ERROR

Not unnoticeable side effect of this error is that credential cache could not be saved for KEYRING type. Applied patch resolve this side effect problem, but not resolve root problem.