[Samba] PAM authentication to Active Directory
Mark Proehl
M.Proehl at science-computing.de
Thu Nov 16 09:22:07 GMT 2006
Hi,
On Wed, Nov 15, 2006 at 06:03:37PM -0000, Gautier, B (Bob) wrote:
> ...
> I'm not entirely clear what you want to do, but you could look
> at using just pam_krb5 (i.e. use AD's Kerberos functionality
> for authentication) - that way, you won't need a domain join.
pam_krb5 should validate the users ticket granting ticket. Otherwise
authentication ist not secure. Validation is performed by requesting a
service ticket (for the host principal) an decrypting that ticket with
a key from the keytab (/etc/krb5.keytab).
So pam_krb5 needs a keytab file to operate securely. One of the
easiest way to get that keytab is samba's "net ads join"
- Mark
More information about the samba
mailing list