Created attachment 12786 [details] s3-winbind-do-not-delete-an-existing-valid-credential.patch During login using pam_winbind module via kerberos we got a error for user without access to system or dedicated keytab file. This problem may be unnoticeable because, after first unsuccessful try, using "falling back to samlogon" method, that works. But winbindd_raw_kerberos_login() always return with fail. [2016/12/28 15:17:12.162907, 1, pid=21122, effective(10002, 0), real(10002, 0)] ../source3/librpc/crypto/gse_krb5.c:449(fill_mem_keytab_from_system_keytab) ../source3/librpc/crypto/gse_krb5.c:449: krb5_kt_start_seq_get failed (Permission denied) [2016/12/28 15:17:12.162930, 1, pid=21122, effective(10002, 0), real(10002, 0)] ../source3/librpc/crypto/gse_krb5.c:627(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab - 13 [2016/12/28 15:17:12.162949, 1, pid=21122, effective(10002, 0), real(10002, 0)] ../auth/gensec/gensec_start.c:698(gensec_start_mech) Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR [2016/12/28 15:17:12.162965, 1, pid=21122, effective(10002, 0), real(10002, 0)] ../source3/libads/authdata.c:274(kerberos_return_pac) ../source3/libads/authdata.c:274Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: NT_STATUS_INTERNAL_ERROR Not unnoticeable side effect of this error is that credential cache could not be saved for KEYRING type. Applied patch resolve this side effect problem, but not resolve root problem.