On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: > >> I have some services on Centos5 boxes that use smb authentication >> against the Windows domain as a low-maintenance way to handle most of >> our office users for things that don't need home directories (web/file >> shares, etc.). Running authconfig is all it takes to add it to PAM, >> then adding mod_auth_pam to apache makes it work with that and local >> users. This all works without any particular involvement with the >> Windows group or administrative access there. >> >> Is there a better way to do this on C6 that does not involve 'joining' >> the windows domain? > > You don't *have* to join it to the domain, you can use pam_krb5 without > joining if you want. I don't see that as an option in authconfig (or smb either now). Are there examples of how to set that up? And does apache have to be configured separately? > There are advantages if you do though, since a joined > machine offering samba shares to windows users on a domain won't prompt for a > password, as it'll use their existing kerberos ticket. Joining *is* just a > case of a correct smb.conf/krb5.conf and "net ads join" with an account with > sufficient privs, so isn't really much pain for servers. I thought 'sufficient privs' was an admin account in AD. I don't have/want that, and I'd prefer for the people running the AD servers to continue to not know which linux servers are bouncing password checks their way. >> And is there a way to make samba (C5 or 6) work with Windows7 other >> than configuring every client to to send NTLM authentication when >> requested? > > On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just > work. I'm assuming that not the case? Maybe, if you have krb stuff passed through to a joined AD. I was hoping NTLM would still work. And I want it to also work transparently with local linux accounts that don't exist in AD. -- Les Mikesell lesmikesell at gmail.com