When I log in using SSH key auth (or presumably also with gdm autologin or fingerprint), winbind doesn't obtain and refresh my Kerberos tickets for me.
That behaviour is only triggered by a successful password login.
Perhaps pam_winbind should do something other than log 'PAM_ESTABLISH_CRED not implemented' when it's asked to establish credentials?
All it needs to do is trigger the same mechanism that retrospectively obtains the Kerberos ticket after an offline login, I think.
Created attachment 5875 [details]
attempt to implement ESTABLISH_CREDS
I got this far before finding that we can't actually obtain a ticket unless we know the *real* password, not just a hash of it (which AFAICT is all we have cached).
Windows can manage though, when I log in using a fingerprint. Does it really cache the unhashed password, or is there a way to obtain a TGT using only the hash?
Note that the patch is a work in progress. Known issues are that it won't pass the KRB5CCNAME back from winbindd and set it in the PAM client, and it will leak a refcount on the cached credentials it uses. And there's probably more wrong with it than that. (It probably shouldn't do anything at all if KRB5CCNAME was already set because it *was* a password login. Or maybe we should stop the password login code path from calling add_ccache_to_list() on the basis that it'll be done in the establish_cred step now.)
More caffeine required.