[Samba] Can Winbind go directly to LDAP/Kerberos? Or is it PDC NTLM only?

Gerald (Jerry) Carter jerry at samba.org
Mon Nov 28 13:04:45 GMT 2005

Hash: SHA1

SAMBA wrote:

| What I would like to do is:
|   (1) direct authentication to AD KDC

Winbindd provides NTLM authenticationonly at the moment.
One of the developers is working on extending that
in pam_winbind.  For now you would use pam_krb5 if you
need to enable kerberos auth for Unix services.

Note that smbd supports ticket based authentication for
file and print services when joined to an AD domain.

|   (2) referencing AD LDAP for account info

Sure.  try 3.0.21rc1 for the latest set of improvements.

|   (3) writing any mapped SID to UID/GID in SFU extended Active Directory
| LDAP, instead of local database.

Winbindd won't write to an SFU enabled AD but it will use
the info if you use the ad idmap backend.

| I've been digging through published and online documents,
| but most documentation is oriented to old-school PDC.  I
| want to avoid NTLM and PDCs of the past for security and
| performance reasons (NTLM single DES vs. Kerberos triple
| DES for instance)

Windows 2000 and 2003 prefer RC4-HMAC and don't support 3des for
kerberos encryption types.

cheers, jerry
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."               --anonymous
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba mailing list