You are not logged in.

Pages: 1

#1 2023-03-26 10:22:00

Geldorn
Member
Registered: 2023-03-26
Posts: 2

Samba: Winbind and Kerberos problems with PAM & WMs

Hi,

I have some problems getting window manager logins (gdm in particular, but same problems for lightdm) to generate kerberos tickets.

Yet they are generated when authenticating to a terminal or with sudo => klist instantly lists the tickets.

I followed the Active Directory integration guide from the wiki, as everything else works I suspect it is some sort or PAM problem (PAM config from Guide).


I now found a sort of band-aid solution with pam_krb5.so in /etc/pam.d/system-local-login

#%PAM-1.0

auth      include   system-login
auth      optional  pam_krb5.so    minimum_uid=1000 use_first_pass
account   include   system-login
account   optional  pam_krb5.so
password  include   system-login
password  include   system-login
session   include   system-login
session   optional  pam_krb5.so

But as it works for non graphical logins without that change, this doesn't seem to be the correct solution.


Does anyone have an idea what might cause gdm to somehow use winbind (as the login works) but skip the ticket genrating part?



For reference the current system-atuh PAM file (same as from the guide)

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_winbind.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=2 default=ignore]  pam_systemd_home.so
account    [success=1 default=ignore]  pam_winbind.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=2 default=ignore]  pam_systemd_home.so
password   [success=1 default=ignore]  pam_winbind.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required                    pam_limits.so
session    required                    pam_winbind.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Offline

#2 2023-04-02 01:07:49

Geldorn
Member
Registered: 2023-03-26
Posts: 2

Re: Samba: Winbind and Kerberos problems with PAM & WMs

Update:

It seems the whole issue is some sort or race condition involving the location "/run/user/%u". From debugging with a target location for the krb5cc file inside /tmp (which just works), it seems the folder does not exist when pam_winbind (or whichever module updates the kerberos tickets) wants to write the ticket.

Does anyone have an idea how to safely rearrange the PAM files to ensure the /run/user directory is created (by pam_systemd?) early enough?

Offline

Pages: 1

Board footer

Powered by FluxBB