[Samba] pam_winbind verses pam_krb5
abartlet at samba.org
Sat Sep 6 11:09:12 GMT 2003
On Fri, 2003-09-05 at 19:49, C.Lee Taylor wrote:
> Greetings ...
> Have a question, was is the advantages of use pam_winbind verses
> pam_krb5 for Samba user authentaction?
> I mean, if I point my Linux box Kerberos to a Win2003 AD server, I
> am able to authenticate my users out of AD, but at the moment still
> having problems with winbind and nsswitch.
> Is there an advantage to using pam_winbind instead of pam_krb5?
The main one is that pam_winbind should be harder to spoof the server
for. Particularly with Samba 3.0, and 'client schannel = yes' set.
But with the work being done to export a 'normal' kerberos keytab, this
should again become a matter of 'how do you want to run your system'.
(Because then you can tell pam_krb5 to check the tickets validity for
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030906/65b5e1ba/attachment.bin
More information about the samba