Bug 15989 - PAM winbind with sssd-kcm using KCM ccache_type does not create kerberos ticket cache, falls back to SAM logon
Summary: PAM winbind with sssd-kcm using KCM ccache_type does not create kerberos tick...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.23.5
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-01-29 12:28 UTC by David Fillingham
Modified: 2026-01-29 20:35 UTC (History)
2 users (show)

See Also:

Attachments
Config and log files (3.93 KB, application/zip)
2026-01-29 12:28 UTC, David Fillingham 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Fillingham 2026-01-29 12:28:46 UTC 
Created attachment 18812 [details]
Config and log files

When using ccache type KCM, with the credential manager provided by sssd-kcm, winbind does not succeed with kerberos auth and falls back to SAM logon.
Setup is with a real Windows Server Active Directory domain.

When the exact config is used except with a FILE ccache type, the kerberos authentication succeeds and the ccache is created.

Checking the logs on the domain controller, shows that the authentication actually succeeds and a TGT is created, but this is not reflected on the member server:

```
A Kerberos authentication ticket (TGT) was requested.

Account Information:
	Account Name:		david
	Supplied Realm Name:	AD.FILLINGHAM.AU
	User ID:			FILLINGHAM\david
	MSDS-SupportedEncryptionTypes:	0x27 (DES, RC4, AES-Sk)
	Available Keys:	AES-SHA1, RC4

Service Information:
	Service Name:		krbtgt
	Service ID:		FILLINGHAM\krbtgt
	MSDS-SupportedEncryptionTypes:	0x1F (DES, RC4, AES128-SHA96, AES256-SHA96)
	Available Keys:	AES-SHA1, RC4

Domain Controller Information:
	MSDS-SupportedEncryptionTypes:	0x1F (DES, RC4, AES128-SHA96, AES256-SHA96)
	Available Keys:	AES-SHA1, RC4

Network Information:
	Client Address:		::ffff:192.168.1.198
	Client Port:		38146
	Advertized Etypes:	
		AES256-CTS-HMAC-SHA1-96
		AES128-CTS-HMAC-SHA1-96
		RC4-HMAC-NT

Additional Information:
	Ticket Options:		0x40810000
	Result Code:		0x0
	Ticket Encryption Type:	0x12
	Session Encryption Type:	0x12
	Pre-Authentication Type:	2
	Pre-Authentication EncryptionType:	0x12

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number:	
	Certificate Thumbprint:		

Ticket information
	Response ticket hash:		ofAYf1Gjv4Xh6kvCFhxg3a6ZoNDhHHhZ/HbyhJQolu8=

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
```

Doing a kinit interactively on the machine succeeds and populates the KCM ccache:

```
david@archvm:~$ kinit
Password for david@AD.FILLINGHAM.AU:

david@archvm:~$ klist
Ticket cache: KCM:66639
Default principal: david@AD.FILLINGHAM.AU

Valid starting     Expires            Service principal
29/01/26 22:11:39  30/01/26 08:11:39  krbtgt/AD.FILLINGHAM.AU@AD.FILLINGHAM.AU
        renew until 30/01/26 22:11:36

david@archvm:~$ kdestroy
david@archvm:~$ klist
klist: Credentials cache 'KCM:66639' not found

```

smb.conf, krb5.conf, pam_winbind.conf and wb.log-FILLINGHAM attached