PAM Kerberos Authentication

Kerberos Authentication using winbindd

In order to enable kerberos authentication configure Samba to use winbind in nsswitch and for PAM (FIXME: point to other docs).

Enabling Kerberos authentication in pam_winbind

First of all, make sure that you can login using PAM and your windows credentials, e.g. using ssh:

ssh YOURDOM\\youruser@localhost

You cannot continue if login via PAM (pam_winbind) is not working.

Now, pam_winbind needs to set a kerberos flag, you can do so by either

  • adding "krb5_auth = yes" and "krb5_ccache_type = FILE" to /etc/security/pam_winbind.conf. That file should look like this:
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# authenticate using kerberos
krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE

This will enable kerberos authentication globally for all applications using PAM. If you want to have more fine grained control about services that use pam_winbind's kerberos mode then you can do so by

  • adding the "krb5_auth" and "krb5_ccache_type" option into individual pam-configuration files (usualy below /etc/pam.d/$SERVICE)

Testing Kerberos authentication

Start winbindd, authenticate successfully at least once while winbind is online

/etc/init.d/winbind start

 wbinfo -K YOURDOM\\youruser%password

You should get

plaintext kerberos password authentication for [YOURDOM\youruser%password] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

in the output.

Your system is now prepared to use pam_winbind for kerberos authentication. Please try to login to your localhost, e.g. using ssh

ssh YOURDOM\\youruser@localhost

After successful login "klist" should show your ticket granting ticket.