samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] pam_winbind keytab permissions question

[Samba] pam_winbind keytab permissions question

From: Anton <anton.list_at_nospam>
Date: Tue May 11 2010 - 06:08:29 GMT
To: samba <>


Should the system keytab need to be world readable to be able to
authenticate via winbind as a remote kerberos user?

I don't seem to remember this being required in Samba 3.3 or earlier
(but I could be wrong about that). And I didn't think it was a
recommended configuration.

Is this likely to be distro specific?

Background info:

I've recently had problems logging into an Active Directory domain
(SBS 2003 with SFU 3.5 schema extensions) on a new Ubuntu 10.04 which
uses winbind 3.4.7.

I successfully joined the domain, and created a keytab using the
following commands:

net ads join -U domainadministrator createupn
net ads testjoin
net ads keytab create -U domainadministrator

I added winbind to nssswitch.conf and ran pam-auth-update to use the
winbind profile to configure /etc/pam.d/common*. pam_winbind had the
krb5_auth and krb5_ccache_type=FILE options set (by pam-auth-update).

With sudo and a dummy local account I could successfully kinit with
both my domain user principle and the system keytab service principals
and the computers UPN.

I could successfully run wbinfo -u and wbinfo -g and well as getent
passwd and getent group.

The first sign of trouble was that I needed sudo to successfully run
wbinfo -K to authenticate my domain account

I could not log in with pam_winbind either.

It turned out that my domain user account needed read access to the
system keytab (/etc/krb5.keytab). By default the system keytab was
owned by root:root and had 0600 permissions - which I seem to recall
is the recommended permissions for that file, and I vaguely remember
working in earlier Samba versions.

Once the keytab was world readable, domain accounts could successfully log in.

/etc/samba/smb.conf (if relevant)

   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   preferred master = no
   security = ADS

   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind nss info = sfu
   winbind offline logon = true
   winbind refresh tickets = true

   idmap backend = tdb
   idmap uid = 50000 - 50999
   idmap gid = 50000 - 50999
   idmap config EXAMPLE:backend = ad
   idmap config EXAMPLE:readonly = yes
   idmap config EXAMPLE:default = yes
   idmap config EXAMPLE:schema_mode = sfu
   idmap config EXAMPLE:range = 10000 - 19999

   template shell = /bin/bash
   template homedir = /home/%U
   kerberos method = system keytab

Thanks for any insight :)

-- Cheers Anton -- To unsubscribe from this list go to the following URL and read the instructions: