On Thu, 17 Nov 2011, Les Mikesell wrote:
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want.
I don't see that as an option in authconfig (or smb either now). Are there examples of how to set that up? And does apache have to be configured separately?
With authconfig it's --enablekrb5 and the related ones for setting the details. Since you're not worried about group membership krb5's all you need. If pam_smb type stuff was enough then you don't need to worry about validation, although it's definitely better if you do.
I thought 'sufficient privs' was an admin account in AD. I don't have/want that, and I'd prefer for the people running the AD servers to continue to not know which linux servers are bouncing password checks their way.
No, you don't need that much. You just need permissions to create a machine object within a specific OU, which is much lower grade. The password checks would end up with the AD controllers, but I doubt it's anything they're likely to notice.
Maybe, if you have krb stuff passed through to a joined AD. I was hoping NTLM would still work. And I want it to also work transparently with local linux accounts that don't exist in AD.
On that side, I pass.
jh