[Samba] kerberos and/or winbind ??

Christian Merrill cmerrill at redhat.com
Wed Oct 13 13:20:34 GMT 2004

Mark Le Noury wrote:

>I'm getting confused about the role that kerberos authentication plays.
>What exactly is the point of using kerberos to join a samba server to an
>AD domain?
>If using kerberos still requires you to rely on winbindd for all the
>nsswitch stuff then what is the point?
>I can just as easily specify
>                                workgroup = wkgrp
>                                security = domain
>and do a     
>                                net join
>Instead of doing
>                        realm = wkgrp.krb.realm
>                        workgoup = wkgrp
>                        security = ADS
>and doing
>                        net ads join 
>Are there performance benefits/better security...what??
> I think that maybe my understanding of the kerberos setup is a bit
>thanks for any replies,
>Mark Le Noury
Here is an over simplified explanation.  Configuring kerberos with samba 
will not give you any additional features.  It is definately more secure 
-- the linux system will authenticate via kerberos with your AD DC.  
Aside from the security bonus the only other reason you would want to 
consider doing this is if your Active Directory is running in Native 
Mode.  If this is the case, you *have* to use kerberos if you wish to 
become a full domain member.  Otherwise, if you are running in Mixed 
Mode (the default mode on 2000/2003) and the added benefits of kerberos 
security are not a requirement, then by all means run in domain mode as 
an old style NT system and enjoy being free from the headaches of 
kerberos compatibility issues.


More information about the samba mailing list