[Samba] PAM authentication to Active Directory

Mark Proehl M.Proehl at science-computing.de
Thu Nov 16 09:22:07 GMT 2006


On Wed, Nov 15, 2006 at 06:03:37PM -0000, Gautier, B (Bob) wrote:
> ...
> I'm not entirely clear what you want to do, but you could look
> at using just pam_krb5 (i.e. use AD's Kerberos functionality
> for authentication) - that way, you won't need a domain join.

pam_krb5 should validate the users ticket granting ticket. Otherwise
authentication ist not secure. Validation is performed by requesting a
service ticket (for the host principal) an decrypting that ticket with
a key from the keytab (/etc/krb5.keytab). 

So pam_krb5 needs a keytab file to operate securely. One of the
easiest way to get that keytab is samba's "net ads join"

- Mark

More information about the samba mailing list