On Thu, 17 Nov 2011, Les Mikesell wrote: >> You don't *have* to join it to the domain, you can use pam_krb5 without >> joining if you want. > > I don't see that as an option in authconfig (or smb either now). Are > there examples of how to set that up? And does apache have to be > configured separately? With authconfig it's --enablekrb5 and the related ones for setting the details. Since you're not worried about group membership krb5's all you need. If pam_smb type stuff was enough then you don't need to worry about validation, although it's definitely better if you do. > I thought 'sufficient privs' was an admin account in AD. I don't > have/want that, and I'd prefer for the people running the AD servers > to continue to not know which linux servers are bouncing password > checks their way. No, you don't need that much. You just need permissions to create a machine object within a specific OU, which is much lower grade. The password checks would end up with the AD controllers, but I doubt it's anything they're likely to notice. > Maybe, if you have krb stuff passed through to a joined AD. I was > hoping NTLM would still work. And I want it to also work > transparently with local linux accounts that don't exist in AD. On that side, I pass. jh