On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
I have some services on Centos5 boxes that use smb authentication against the Windows domain as a low-maintenance way to handle most of our office users for things that don't need home directories (web/file shares, etc.). Running authconfig is all it takes to add it to PAM, then adding mod_auth_pam to apache makes it work with that and local users. This all works without any particular involvement with the Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining' the windows domain?
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want.
I don't see that as an option in authconfig (or smb either now). Are there examples of how to set that up? And does apache have to be configured separately?
There are advantages if you do though, since a joined machine offering samba shares to windows users on a domain won't prompt for a password, as it'll use their existing kerberos ticket. Joining *is* just a case of a correct smb.conf/krb5.conf and "net ads join" with an account with sufficient privs, so isn't really much pain for servers.
I thought 'sufficient privs' was an admin account in AD. I don't have/want that, and I'd prefer for the people running the AD servers to continue to not know which linux servers are bouncing password checks their way.
And is there a way to make samba (C5 or 6) work with Windows7 other than configuring every client to to send NTLM authentication when requested?
On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just work. I'm assuming that not the case?
Maybe, if you have krb stuff passed through to a joined AD. I was hoping NTLM would still work. And I want it to also work transparently with local linux accounts that don't exist in AD.