[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC NTLM only?

SAMBA letz_samba at realmspace.com
Mon Nov 21 23:19:54 GMT 2005


I am tinkering with PADL and Kerberos PAM, so that I can have account
authentication and directory directly to AD KDC/LDAP.

I always thought that windbind provided support for NT-style PDC for
authentication and referencing account-directory, and thus only work in
AD mixed-mode where PDC emulator is used for backwards compatibility.
However, I was reading a book that seemed to indicate that winbind will
talk directly to Active Directory (authenticate through KDC, reference
account info from LDAP).  Is this true? 

What I would like to do is:
  (1) direct authentication to AD KDC
  (2) referencing AD LDAP for account info
  (3) writing any mapped SID to UID/GID in SFU extended Active Directory
LDAP, instead of local database.

I've been digging through published and online documents, but most
documentation is oriented to old-school PDC.  I want to avoid NTLM and
PDCs of the past for security and performance reasons (NTLM single DES
vs. Kerberos triple DES for instance)

  -- Joaquin

More information about the samba mailing list