[Pkg-samba-maint] Bug#739768: This bug is now fixed in ubuntu

Branko Mikic mikic at vahanus.de
Sat Nov 8 16:06:27 UTC 2014


Bug remains at least with a Debian Jessie Setup using Samba
4.1.13+dfsg-2 being a domain member authenticating against a Win 2003 R2
Server. In my case Kerberos logins via GDM and at console fail:

Nov  8 11:54:48 myHost gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=JohnDoe
Nov  8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000388)
Nov  8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth):
pam_get_item returned a password
Nov  8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth):
request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error
message was: NT_STATUS_CONNECTION_DISCONNECTED
Nov  8 11:54:48 myHost gdm-password]: pam_winbind(gdm-password:auth):
internal module error (retval = PAM_SYSTEM_ERR(4), user = 'JohnDoe')

 Some suggest removing the krb5_auth krb5_ccache_type=FILE args from
/etc/pam.d/common.auth which seems to work at first glance as GDM logins
work but it breaks Single-SignOn functionality with GSSAPI eg. using
passwordless logins via SSH. Despite the fact that calling
pam-auth-update again reverts the config change which is later on
overlooked easily.
Didn't have a chance to study the source with a deep look but 'internal
module error' stems from libpam-winbind module accessing the
/etc/krb5.keytab file which is by default only accessible to root:

-rw------- 1 root root 1.1K Oct 27 20:28 /etc/krb5.keytab

As a temporary workaround use chmod g+r /etc/krb5.keytab allowing the
group root to access the file. Sounds silly but worked for me. Can
someone confirm that behavior?

-- 
Bye & HavPhun
 ėƪ бrόηćό



More information about the Pkg-samba-maint mailing list