Not possible to authenticate against AD if krb5_ccache_type = FILE

This document (7006810) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 1

Situation

In 'pam_winbind.conf' the following options are set:

krb5_auth = yes
krb5_ccache_type = FILE

and in 'smb.conf' kerberos method is set:

kerberos method = system keytab
An attempt to authenticate against Active Directory (AD) is not possible. 
The error message is similar to:

--
0xb7744038] STATE: ITEM(PAM_AUTHTOK) = 0xb7751460
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): [pamh:
0xb7744038] STATE: ITEM(PAM_CONV) = 0xb77524d8
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): getting password
(0x00001191)
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): pam_get_item
returned a password
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): Verify user
'doudou'
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): CONFIG file:
krb5_ccache_type 'FILE'
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): enabling krb5
login flag
Jul 6 15:29:35 cobu0083 sshd[11420]: pam_winbind(sshd:auth): enabling request
for a FILE krb5 ccache
Jul 6 15:29:36 cobu0083 sshd[11420]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS:
NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Jul 6 15:29:36 cobu0083 sshd[11420]: pam_winbind(sshd:auth): user 'doudou'
denied access (incorrect password or invalid membership)
Jul 6 15:29:36 cobu0083 sshd[11420]: pam_winbind(sshd:auth): [pamh:
--

Resolution

The value set for kerberos method is probably wrong. It is necessary to choose the right value
depending on the ticket verification being used.

The possible settings for kerberos method are:

secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab

In most of the cases the latter does fit.

Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7006810
  • Creation Date: 08-Sep-2010
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center