[Samba] Winbind vs pam_krb5/nss_ldap

[Blindauer Emmanuel]

I've installed samba+winbind for 2k users. I had set up my stations tu use 
winbind for all, and the backend used is ldap.
Now with a little more infos, I will probably change the authentification on 
computers to use krb5 + credential caching, so ppl will get a kerberos ticket 
and get SSO like for windows users.
For changing their password, it works with kerberos, with "kpasswd user at REALM"
What isn't working is the "change password at first login" set up by windows, 
but I didn't get further into that, only removed that.


Le Lundi 21 Mars 2005 04:46, AD. a écrit :
> Hi all,
>
> I am just after some opinions about the pros and cons of winbind
> compared to the 'standard' kerberos and ldap methods. I've have
> already got single sign on working with pam_krb5 and nss_ldap (using
> SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as
> clients/'member servers', and integration of Samba is the next bit I'm
> looking at.
>
> The impressions I get are (corrections welcome):
>
> Winbind should be a bit simpler to set up than the pam/nss option, and
> mean a bit less work entering UIDs and GIDs etc into Active Directory
> and generating keytabs etc.
>
> Using the standard kerberos/ldap methods should give more flexibility
> for integrating with other unix based services eg consistent uid
> mapping between machines (when using Active Directory at least) etc.
>
> Winbind users need to log on using DOMAIN\USER, while pam_krb5 users
> just need to use USER for their default realm. Or am I wrong about
> that one?
>
> Winbind users can change their AD password while pam_krb5 users can't
> (at this stage).
>
>
> Now for some questions...
>
> Is it possible or is there any value in using both winbind and
> pam_krb5/nss_ldap together? How would they integrate?
>
> If it's even possible, what would I miss out on if not using winbind?
> I presume there still needs to be some sort of SID mapping going on
> for Samba to do its stuff?