Hi,
Upgraded to latest:
samba-ad-dc/noble,noble,now 2:4.19.5+dfsg-4ubuntu9
Now I am not able to password auth a sudo group member if it is also a domain user while nsswitch.conf is configured with winbind.
In auth.log I get:
pam_krb5(sudo:auth): authentication failure; logname=DOMAIN\user uid=xxxxxx euid=0 tty=/dev/pts/2 ruser=DOMAIN\user rhost=
pam_unix(sudo:auth): conversation failed
pam_unix(sudo:auth): auth could not identify password for [DOMAIN\user]
in log.DOMAINwb:
auth/gensec/gensec_start.c:844(gensec_start_mech)
Starting GENSEC mechanism gse_krb5
source3/librpc/crypto/gse_krb5.c:425(fill_mem_keytab_from_system_keytab)
source3/librpc/crypto/gse_krb5.c:425: krb5_kt_start_seq_get failed (Permission denied)
No file read access for winbindd for system keytab/etc/krb5.keytab
There is no winbind or samba user and I have presumed that samba-ad-dc is run by root that has rw access to that file. One could add group access to keytab if one would know who is running winbindd sub process of reading keytab into cache.
This only happens in AD-DC system. All other servers happily do password auth for sudo.
Atol
Bookmarks