[CentOS] CentOS 6 smb authentication?

Thu Nov 17 19:37:17 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Thu, 17 Nov 2011, Les Mikesell wrote:

>> You don't *have* to join it to the domain, you can use pam_krb5 without
>> joining if you want.
> I don't see that as an option in authconfig (or smb either now).  Are
> there examples of how to set that up?  And does apache have to be
> configured separately?

With authconfig it's --enablekrb5 and the related ones for setting the
details.  Since you're not worried about group membership krb5's all you need.
If pam_smb type stuff was enough then you don't need to worry about
validation, although it's definitely better if you do.

> I thought 'sufficient privs' was an admin account in AD.  I don't
> have/want that, and I'd prefer for the people running the AD servers
> to continue to not know which linux servers are bouncing password
> checks their way.

No, you don't need that much.  You just need permissions to create a machine
object within a specific OU, which is much lower grade.  The password checks
would end up with the AD controllers, but I doubt it's anything they're likely
to notice.

> Maybe, if you have krb stuff passed through to a joined AD.  I was
> hoping NTLM would still work.  And I want it to also work
> transparently with local linux accounts that don't exist in AD.

On that side, I pass.