When the kerberos credential cache is set to the KEYRING ... Set in the file /etc/krb5.conf with clause : [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} And also in the file /etc/security/pam_winbind.conf with clause : [global] krb5_auth = yes krb5_ccache_type = KEYRING:persistent:UID Authentication is ok, user receive a TGT stored in KEYRING CC, but command : net ads user ask the password, and after echo : kerberos_kinit_password SPF-CASTANET@SPF-CASTANET.NET failed: Client not found in Kerberos database kerberos_kinit_password SPF-CASTANET@SPF-CASTANET.NET failed: Client not found in Kerberos database kerberos_kinit_password SPF-CASTANET@SPF-CASTANET.NET failed: Client not found in Kerberos database If we use the FILE CC, everything is OK.
There is some upstream discussion about this on Heimdal's GitHub: https://github.com/heimdal/heimdal/issues/166 Someone would need to write the code, submit it upstream and then backport it to our Heimdal. Or for file-sever only builds, use --with-system-mitkrb5 Sorry, Andrew Bartlett
Ok, great, I use samba as a AD DC, so i'll continue to use the FILE CC, it's ok. Can i set this bug resolved ?
We are working on an upgrade to our Heimdal snapshot, and it seems upstream Heimdal finally has this working. So there is some hope!
Ok, great !