On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien wrote:
I have some services on Centos5 boxes that use smb authentication
against the Windows domain as a low-maintenance way to handle most of
our office users for things that don't need home directories (web/file
shares, etc.). ?Running authconfig is all it takes to add it to PAM,
then adding mod_auth_pam to apache makes it work with that and local
users. ?This all works without any particular involvement with the
Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining'
the windows domain?
You don't *have* to join it to the domain, you can use pam_krb5 without
joining if you want.
I don't see that as an option in authconfig (or smb either now). Are
there examples of how to set that up? And does apache have to be
?There are advantages if you do though, since a joined
machine offering samba shares to windows users on a domain won't prompt for a
password, as it'll use their existing kerberos ticket. ?Joining *is* just a
case of a correct smb.conf/krb5.conf and "net ads join" with an account with
sufficient privs, so isn't really much pain for servers.
I thought 'sufficient privs' was an admin account in AD. I don't
have/want that, and I'd prefer for the people running the AD servers
to continue to not know which linux servers are bouncing password
checks their way.
And is there a way to make samba (C5 or 6) work with Windows7 other
than configuring every client to to send NTLM authentication when
On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just
work. ?I'm assuming that not the case?
Maybe, if you have krb stuff passed through to a joined AD. I was
hoping NTLM would still work. And I want it to also work
transparently with local linux accounts that don't exist in AD.
lesmikesell at gmail.com