I used 'realm join --client-software=winbind' to join an Active Directory domain, apparently successfully. My user does appear to exist. I set 'winbind use default domain=yes' in smb.conf I cannot log in; my password is not accepted. winbindd says: Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_TRUST_SAM_ACCOUNT, attempts: 3) This is again a problem for this particular call, forcing the close of this connection This is the third problem for this particular call, adding DC to the negative cache list ... winbindd_dual_pam_auth_samlogon failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT Plain-text authentication for user GER\dwoodhou returned NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
I leave the domain and rejoin it, and now it works. However, I don't get a Kerberos TGT when I log in: [root@dwoodhou-mobl3 ~]# ssh dwoodhou@localhost dwoodhou@localhost's password: Last login: Fri Jun 28 00:45:11 2013 from localhost [dwoodhou@dwoodhou-mobl3 ~]$ klist klist: No credentials cache found (ticket cache DIR::/run/user/10000/krb5cc/tkt) [dwoodhou@dwoodhou-mobl3 ~]$
You need to correctly configure pam_winbind to get kerberos tickets!
This might be a realmd issue not a samba issue. I will reopen bug and re-assign to realmd to triage.
It might be a realmd issue. It didn't add the krb5_auth option to the pam configuration. But even when I did that manually, and also krb5_ccache_type=FILE, it still didn't actually get me a TGT.
Since this is now assigned to realmd: there *is* a realmd issue too. Running 'kinit dwoodhou' was sufficient to make 'realm join' work without a password when I was using SSSD. But with --client-software=winbind it didn't work; I was still asked for a password and had to provide the '-U dwoodhou' argument.
The failure to obtain a TGT after I edited the PAM config manually may have been user error. Trying again, it does seem to work now. However, there are still issues on the winbind side. Firstly, it seems to put the credentials cache in the old location of /tmp/krb5cc_%{uid}. I have to set default_ccache_name in /etc/krb5.conf to match that, or I don't see my credentials when I run 'su dwoodhou' (or, presumably, run things from cron). Secondly, there is some strangeness with refreshing credentials when I re-authenticate. I logged in to GDM last night and left it, and when I came back in the morning I saw (before unlocking the screen) that it had successfully renewed the TGT. However, when I unlocked the screen, my credentials cache *disappeared*. And was not restored. Trying to reproduce that one now with winbindd at log level 10...
The original issue went away on rejoining the domain, and I have not been able to reproduce it. Everything else mentioned here is also filed elsewhere, I think: - winbind using /tmp/krb5cc_%{uid} wants a separate bug if the answer to https://bugzilla.redhat.com/show_bug.cgi?id=796429#c2 is 'no'. - creds cache being deleted is bug 981033 - 'realm join' not working with Kerberos auth is being handled in bug 976593 - realmd's failure to configure pam_winbind properly is bug 983153