[Samba] pam_winbind verses pam_krb5

Andrew Bartlett abartlet at samba.org
Sat Sep 6 11:09:12 GMT 2003

On Fri, 2003-09-05 at 19:49, C.Lee Taylor wrote:
> Greetings ...
>     Have a question, was is the advantages of use pam_winbind verses 
> pam_krb5 for Samba user authentaction?
>     I mean, if I point my Linux box Kerberos to a Win2003 AD server, I 
> am able to authenticate my users out of AD, but at the moment still 
> having problems with winbind and nsswitch.
>     Is there an advantage to using pam_winbind instead of pam_krb5?

The main one is that pam_winbind should be harder to spoof the server
for.  Particularly with Samba 3.0, and 'client schannel = yes' set.

But with the work being done to export a 'normal' kerberos keytab, this
should again become a matter of 'how do you want to run your system'. 
(Because then you can tell pam_krb5 to check the tickets validity for

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030906/65b5e1ba/attachment.bin

More information about the samba mailing list