[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC
NTLM only?
Gerald (Jerry) Carter
jerry at samba.org
Mon Nov 28 13:04:45 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SAMBA wrote:
| What I would like to do is:
| (1) direct authentication to AD KDC
Winbindd provides NTLM authenticationonly at the moment.
One of the developers is working on extending that
in pam_winbind. For now you would use pam_krb5 if you
need to enable kerberos auth for Unix services.
Note that smbd supports ticket based authentication for
file and print services when joined to an AD domain.
| (2) referencing AD LDAP for account info
Sure. try 3.0.21rc1 for the latest set of improvements.
| (3) writing any mapped SID to UID/GID in SFU extended Active Directory
| LDAP, instead of local database.
Winbindd won't write to an SFU enabled AD but it will use
the info if you use the ad idmap backend.
| I've been digging through published and online documents,
| but most documentation is oriented to old-school PDC. I
| want to avoid NTLM and PDCs of the past for security and
| performance reasons (NTLM single DES vs. Kerberos triple
| DES for instance)
Windows 2000 and 2003 prefer RC4-HMAC and don't support 3des for
kerberos encryption types.
cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us." --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDhhpXIR7qMdg1EfYRAqEkAKDKoqVJsFH8SFcxtMhYba16rr/lPQCePC7O
jZtvgblmoAgw8aNsyXPFB+g=
=uhBB
-----END PGP SIGNATURE-----
More information about the samba
mailing list