[Samba] Re: Stacking pam_kerberos and pam_winbind modules

Andrew Bartlett abartlet at samba.org
Thu Sep 25 23:03:13 GMT 2003


On Fri, 2003-09-26 at 02:43, Steve Smtih wrote:
> pam_winbind expects "DOAMIN\name" for authentication,
> but pam_kerberos expects just "name". Is there a trick
> to stack them such that the pam_winbind modules are
> used for account information, but the kerberos modules
> do the authentication (with the result being that the
> user has a tgt after login).

Given that the mapping from 'short' to 'long' domain names is pretty
much a windows thing (DOMAIN\name is name at FULL.DOMAIN.REALM), and the
fact that people will expect NT4 trusted domains to still work, I think
that one option is to extend pam_winbind to handle this.

But that's all about writing new code - for existing options, for a
single domain, you might want to look at setting 'winbind use default
domain = yes' in your smb.conf.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030925/47f4133e/attachment.bin


More information about the samba mailing list