challenge/response (WINBINDD_PAM_AUTH_CRAP) from pam_winbind?

Andrew Bartlett abartlet at
Thu Sep 25 22:41:23 GMT 2003

On Fri, 2003-09-26 at 02:36, Steve Smtih wrote:
> How come WINBINDD_PAM_AUTH_CRAP exists, but
> pam_winbind can not be configured to use it?

No need - pam_winbind has the plaintext password already.  What this is
about is things like Squid using ntlm_auth to do NTLMSSP authentication
for their clients.

> Also is it on the roadmap to allow Kerberos
> authentication instead of plaintext or chal/resp from pam_winbind?

Kerberos is a separate matter, but you should be able to simply aim
pam_krb5 (if you want to get local kerberos tickets/ccache) at the PDC,
and export our kerberos credentials to a keytab.  (I think this is now
in 'net keytab' or an smb.conf option now, or should be soon...)

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list