Stacking pam_kerberos and pam_winbind modules
abartlet at samba.org
Thu Sep 25 23:03:12 GMT 2003
On Fri, 2003-09-26 at 02:43, Steve Smtih wrote:
> pam_winbind expects "DOAMIN\name" for authentication,
> but pam_kerberos expects just "name". Is there a trick
> to stack them such that the pam_winbind modules are
> used for account information, but the kerberos modules
> do the authentication (with the result being that the
> user has a tgt after login).
Given that the mapping from 'short' to 'long' domain names is pretty
much a windows thing (DOMAIN\name is name at FULL.DOMAIN.REALM), and the
fact that people will expect NT4 trusted domains to still work, I think
that one option is to extend pam_winbind to handle this.
But that's all about writing new code - for existing options, for a
single domain, you might want to look at setting 'winbind use default
domain = yes' in your smb.conf.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030925/47f4133e/attachment.bin
More information about the samba-technical