[Samba] kerberos and/or winbind ??
Christian Merrill
cmerrill at redhat.com
Wed Oct 13 13:20:34 GMT 2004
Mark Le Noury wrote:
>Hi,
>
>I'm getting confused about the role that kerberos authentication plays.
>What exactly is the point of using kerberos to join a samba server to an
>AD domain?
>If using kerberos still requires you to rely on winbindd for all the
>nsswitch stuff then what is the point?
>
>I can just as easily specify
> workgroup = wkgrp
> security = domain
>
>and do a
> net join
>
>
>Instead of doing
> realm = wkgrp.krb.realm
> workgoup = wkgrp
> security = ADS
>
>and doing
> net ads join
>
>
>Are there performance benefits/better security...what??
> I think that maybe my understanding of the kerberos setup is a bit
>flawed.
>
>thanks for any replies,
>
>Mark Le Noury
>
>
>
>
Here is an over simplified explanation. Configuring kerberos with samba
will not give you any additional features. It is definately more secure
-- the linux system will authenticate via kerberos with your AD DC.
Aside from the security bonus the only other reason you would want to
consider doing this is if your Active Directory is running in Native
Mode. If this is the case, you *have* to use kerberos if you wish to
become a full domain member. Otherwise, if you are running in Mixed
Mode (the default mode on 2000/2003) and the added benefits of kerberos
security are not a requirement, then by all means run in domain mode as
an old style NT system and enjoy being free from the headaches of
kerberos compatibility issues.
Christian
More information about the samba
mailing list