Bug remains at least with a Debian Jessie Setup using Samba 4.1.13+dfsg-2 being a domain member authenticating against a Win 2003 R2 Server. In my case Kerberos logins via GDM and at console fail:
Nov 8 11:54:48 myHost gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=JohnDoe Nov 8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000388) Nov 8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth): pam_get_item returned a password Nov 8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: NT_STATUS_CONNECTION_DISCONNECTED Nov 8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'JohnDoe') Some suggest removing the krb5_auth krb5_ccache_type=FILE args from /etc/pam.d/common.auth which seems to work at first glance as GDM logins work but it breaks Single-SignOn functionality with GSSAPI eg. using passwordless logins via SSH. Despite the fact that calling pam-auth-update again reverts the config change which is later on overlooked easily. Didn't have a chance to study the source with a deep look but 'internal module error' stems from libpam-winbind module accessing the /etc/krb5.keytab file which is by default only accessible to root: -rw------- 1 root root 1.1K Oct 27 20:28 /etc/krb5.keytab As a temporary workaround use chmod g+r /etc/krb5.keytab allowing the group root to access the file. Sounds silly but worked for me. Can someone confirm that behavior? -- Bye & HavPhun ėƪ бrόηćό -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
