Samba to maintain Kerberos library configuration

Simo Sorce idra at samba.org
Fri Aug 21 08:10:54 MDT 2009


On Fri, 2009-08-21 at 15:48 +0200, Ondrej Valousek wrote:
> > pam_winbind should still work in case Kerberos doesn't. And
> > there's a suprising number of ways to break Kerberos.
> >
> >   
> Well, true, BUT - winbind eventually use Kerberos anyway to authenticate 
> the user with AD, right? So samba should be able to configure the 
> Kerberos library (possibly at the "net ads join" stage).
> Moreover, if you want to use common things like single sign on via ssh, 
> pam_winbind won't help you a single bit - with a working Kerberos 
> library and valid TGT ticket (provided by pam_krb5) this is no problem 
> at all.....

pam_winbindd is certainly superior.
Not only it can use kerberos to authenticate (and set your credential
caches), but it can fallback to NTLM or even to offline mode (if
configured to do so).

Simo.



More information about the samba-technical mailing list