[Samba] Kerberos auth without NTLM

Andrew Bartlett abartlet at samba.org
Mon Mar 22 22:33:26 GMT 2004

On Mon, 2004-03-22 at 23:46, ww m-pubsyssamba wrote:
> Can anyone tell me if I can configure Samba 3.x to rely only on Kerberos authentication (in an AD domain)?
> Ideally I'd like to use local UNIX accounts, not winbind, and negate the need for me to add an entry to passdb, then the
> account must exist in AD and locally on each Samba member server for authentication to work.
> If there is any info held in passdb, other than the NTLM coded password, which must exist for Samba to work then I'd 
> like to either enter an unusable password or disable NTLM authentication completely. Reason for my second request 
> is if I am forced to have users in passdb I don't want to have to worry about the data being world readable from a 
> security perspective.

I meant to talk to you earlier about this.  It is quite OK to have a
system that does not use winbind, and you can still use all the
authentication mechanisms.  

You can set 'security=domain' and even 'security=ads' without winbind. 

You can also run winbindd (which helps security=domain's performance)
without winbind in nsswitch.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040323/2ce48e54/attachment.bin

More information about the samba mailing list