On Thu, Aug 15, 2013 at 8:44 PM, Stephen Harris lists@spuddy.org wrote:
On Thu, Aug 15, 2013 at 06:40:54PM -0700, Devin Reade wrote:
Last time I checked a few years ago I don't think AD supported an LDAP anonymous bind, so you may need to bind as that user in order to validate the creds.
AD is kerberos for authentication. If you just want to authenticate user "xyzzy" to AD with password (as opposed to krb keys) then just configure /etc/krb5.conf to point to an AD domain controller.
Don't need LDAP at all.
Everything else (samba, ldap, etc) gives closer integration, but isn't essential for pure 'AD password' authentication.
Authconfig sets that up with pam when you pick kerberos authentication and it works fine for linux user logins (console, ssh, etc.). What I want in addition is for those users to be able to map their home directories from a windows box using that same login/password. I don't really care if they have to enter it explicitly for the share or if whatever windows does because they are already logged into the domain, I just don't want to manage a separate copy of each user's password. And what authconfig puts in the smb.conf doesn't seem to work that way. I used to be able to use security=server against an older style windows domain controller, but I think the AD domain has been upgraded and no longer has that backwards compatibility mode.