When I log in using SSH key auth (or presumably also with gdm autologin or fingerprint), winbind doesn't obtain and refresh my Kerberos tickets for me. That behaviour is only triggered by a successful password login. Perhaps pam_winbind should do something other than log 'PAM_ESTABLISH_CRED not implemented' when it's asked to establish credentials? All it needs to do is trigger the same mechanism that retrospectively obtains the Kerberos ticket after an offline login, I think.
Created attachment 5875 [details] attempt to implement ESTABLISH_CREDS I got this far before finding that we can't actually obtain a ticket unless we know the *real* password, not just a hash of it (which AFAICT is all we have cached). Windows can manage though, when I log in using a fingerprint. Does it really cache the unhashed password, or is there a way to obtain a TGT using only the hash?
Note that the patch is a work in progress. Known issues are that it won't pass the KRB5CCNAME back from winbindd and set it in the PAM client, and it will leak a refcount on the cached credentials it uses. And there's probably more wrong with it than that. (It probably shouldn't do anything at all if KRB5CCNAME was already set because it *was* a password login. Or maybe we should stop the password login code path from calling add_ccache_to_list() on the basis that it'll be done in the establish_cred step now.) More caffeine required.