[Samba] kerberos and/or winbind ??

Melfi.Marcello at hydro.qc.ca Melfi.Marcello at hydro.qc.ca
Wed Oct 13 15:35:18 GMT 2004 

Hi Christian,

Can you explain what winbindd has to do with kerberos and the ADS security
mode? I was using the DOMAIN security mode without it and now I am trying to
make it work with ADS (our Win2K3 server will be in Native mode for ...
security reason!). Do I really need winbindd even if I only need to have a
Samba share available to some Windows XP/2000 machines via the same Windows
logon and no need to log on the Unix box running the Samba share.

Regards,

Marcello

-----Message d'origine-----
De : Christian Merrill [mailto:cmerrill at redhat.com] 
Envoyé : mercredi 13 octobre 2004 09:21
À : Mark Le Noury
Cc : samba at lists.samba.org
Objet : Re: [Samba] kerberos and/or winbind ??


Mark Le Noury wrote:

>Hi,
> 
>I'm getting confused about the role that kerberos authentication plays. 
>What exactly is the point of using kerberos to join a samba server to 
>an AD domain? If using kerberos still requires you to rely on winbindd 
>for all the nsswitch stuff then what is the point?
> 
>I can just as easily specify
>                                workgroup = wkgrp
>                                security = domain
> 
>and do a     
>                                net join
> 
> 
>Instead of doing
>                        realm = wkgrp.krb.realm
>                        workgoup = wkgrp
>                        security = ADS
> 
>and doing
>                        net ads join
> 
>   
>Are there performance benefits/better security...what??
> I think that maybe my understanding of the kerberos setup is a bit 
>flawed.
> 
>thanks for any replies,
> 
>Mark Le Noury
>
> 
>  
>
Here is an over simplified explanation.  Configuring kerberos with samba 
will not give you any additional features.  It is definately more secure 
-- the linux system will authenticate via kerberos with your AD DC.  
Aside from the security bonus the only other reason you would want to 
consider doing this is if your Active Directory is running in Native 
Mode.  If this is the case, you *have* to use kerberos if you wish to 
become a full domain member.  Otherwise, if you are running in Mixed 
Mode (the default mode on 2000/2003) and the added benefits of kerberos 
security are not a requirement, then by all means run in domain mode as 
an old style NT system and enjoy being free from the headaches of 
kerberos compatibility issues.

Christian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list