[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC NTLM
letz_samba at realmspace.com
Mon Nov 21 23:19:54 GMT 2005
I am tinkering with PADL and Kerberos PAM, so that I can have account
authentication and directory directly to AD KDC/LDAP.
I always thought that windbind provided support for NT-style PDC for
authentication and referencing account-directory, and thus only work in
AD mixed-mode where PDC emulator is used for backwards compatibility.
However, I was reading a book that seemed to indicate that winbind will
talk directly to Active Directory (authenticate through KDC, reference
account info from LDAP). Is this true?
What I would like to do is:
(1) direct authentication to AD KDC
(2) referencing AD LDAP for account info
(3) writing any mapped SID to UID/GID in SFU extended Active Directory
LDAP, instead of local database.
I've been digging through published and online documents, but most
documentation is oriented to old-school PDC. I want to avoid NTLM and
PDCs of the past for security and performance reasons (NTLM single DES
vs. Kerberos triple DES for instance)
More information about the samba