This is the second attempt at sending this. Apologies for any duplicates.
I've got Winbind up and running to authenticate our users against our AD
and to save kerberos tickets. I have used the "winbind refresh tickets =
yes" setting expecting this to renew these kerberos tickets before they
expire. This does not appear to work. Gnome will pop up a dialog box
saying that the credentials have expired. At winbind log level 10 I
can't see anything that suggests the refresh is happening.
I'm running a vanilla samba 3.0.25b on 64bit Fedora Core 5. This was
locally built into an RPM using the Fedora spec file for 2.0.24 (after
removing all patches and adding the extra files that 3.0.25b has)
Is there some setting I'm missing or is it something more complex? I'd
very much appreciate any help I can get in getting this working.
Many Thanks,
Rick King
Config/Log Files:
smb.conf:
[global]
domain master = no
local master = no
preferred master = no
winbind cache time = 300
template shell = /bin/bash
template homedir = /home/%U
idmap domains = ALLDOMAINS
idmap config ALLDOMAINS:backend = ad
idmap config ALLDOMAINS:default = yes
idmap config ALLDOMAINS:range = 500 - 300000000
idmap config ALLDOMAINS:schema_mode = rfc2307
idmap alloc backend = tdb
idmap alloc config:range = 300000001 - 300005000
winbind nss info = rfc2307 template
winbind enum users = yes
winbind enum groups = yes
workgroup = XXXXXXX
realm = XXXXXXX
security = ads
password server = *
winbind refresh tickets = yes
use kerberos keytab = yes
client lanman auth = no
client ntlmv2 auth = yes
/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass krb5_auth
krb5_ccache_type=FILE debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session required pam_limits.so
session sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
debug
session required pam_unix.so
/var/log/secure: [The ticket expired during the night between these log
events]
ug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] ENTER:
pam_sm_authenticate (flags: 0x0000)
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5
ccache
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME:
FILE:/tmp/krb5cc_10001
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): Returned user was 'rking'
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] LEAVE:
pam_sm_authenticate returning 0
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:account): user 'rking' OK
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:account): user 'rking' granted access
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] ENTER:
pam_sm_setcred (flags: 0x0008)
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not
implemented
Aug 9 16:39:44 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] LEAVE:
pam_sm_setcred returning 0
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_unix(gnome-screensaver:auth): authentication failure; logname=
uid=10001 euid=10001 tty=:0.0 ruser= rhost= user=rking
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b270] ENTER:
pam_sm_authenticate (flags: 0x0000)
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5
ccache
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME:
FILE:/tmp/krb5cc_10001
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): Returned user was 'rking'
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b270] LEAVE:
pam_sm_authenticate returning 0
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:account): user 'rking' OK
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:account): user 'rking' granted access
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b270] ENTER:
pam_sm_setcred (flags: 0x0008)
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not
implemented
Aug 9 19:21:37 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b270] LEAVE:
pam_sm_setcred returning 0
Aug 10 04:02:04 pc15 su: pam_winbind(su:session): [pamh: 0x5565c430]
ENTER: pam_sm_open_session (flags: 0x0000)
Aug 10 04:02:04 pc15 su: pam_winbind(su:session): [pamh: 0x5565c430]
LEAVE: pam_sm_open_session returning 0
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_unix(gnome-screensaver:auth): authentication failure; logname=
uid=10001 euid=10001 tty=:0.0 ruser= rhost= user=rking
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): [pamh: 0x0061cd00] ENTER:
pam_sm_authenticate (flags: 0x0000)
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): getting password (0x00000191)
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): pam_get_item returned a password
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): Verify user 'rking'
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE'
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling krb5 login flag
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5
ccache
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): user 'rking' granted access
Aug 10 08:38:05 pc15 gnome-screensaver-dialog:
pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME:
FILE:/tmp/krb5cc_10001
I also have log.winbindd but it is very long and doesn't seem to have
anything relevant to kerberos in it. I can provide it if it would help.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
