[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]

Tue Feb 17 21:27:39 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale
<JCasale at activenetwerx.com> wrote:
>>Ok, here are the default settings that my kickstart file creates to
>>allow me to join the domain and have samba manage the keytab.
>
> Ross,
> I was out of town and missed this thread which is of great interest to me
> as well. When you say "have samba manage the keytab" do you mean not use one
> as have a dedicated service account on the DC and have it generate the keytab
> and have it copied over? A lot of solution I have seen use that procedure which
> I have never wanted to do for obvious reasons.

If you don't have a keytab file when you use samba to join to the
domain and you have the 'use kerberos keytab = yes' set in your
smb.conf, then samba creates one and populates it with the AD
compatible host SPNs and machine password. From that point on it will
keep the keytab in sync. I don't know if it will add these if SPNs
already exist, I haven't tried it.

> Also, I see you also configure ldap to point towards what looks like your AD
> server as well. How come you use both Samba/Winbind and ldap?

LDAP wasn't necessary, I use it for querying AD attributes using the
OpenLDAP tools (I don't trust Microsoft and think they hide attributes
in ADSIEdit!).

Though I could have used NSS_LDAP instead of Winbind, I just would
need to set UID/GID for every user and group in AD which was just too
much of a PITA.

-Ross