On Mon, Sep 23, 2002 at 03:43:59PM -0500, Furnish, Trever G wrote: > I'm under the impression that you are using the "old" nt method of > authentication here rather than kerberos. I would expect that as most sites > move to active directory they will eventually disable support for their old > authentication mechanisms in order to benefit from win2k and later's native > kerberos authentication. > > If I'm reading this wrong and you are actually using kerberos with this > setup, please correct me...
You are right. I'm using SMB authentication. Not kerberos authentication. Let me explain how I got to where I am: My first attempt at unified authentication was from a samba document which explained how to use winbind. This required winbindd, pam_winbind and hand tweaking of /etc/pam.d/*. I got it to work, but all usernames were in a format like "DOMAIN+username", which looked horrible when you tried ls or anything, not to mention typing it to log in to the system. So I sent it to /dev/null. Next, I got hold of a document called "Authenticating Redhat 7.3 against the Active Directory". This document explained how to configure your RH box to authenticate with the kerberos component of an Active Directory Server. After following it step by step, things didn't quite work. So I sent it to /dev/null. After some more googling, I came across a web page mentioned earlier on this thread (the pam_smb home page). this page mentioned /etc/pam.d/system-auth, which wasn't mentioned in the other docs I had read. I checked this file, and found the mention of authconfig. So I run it and everything worked so smoothly that I kept it there to show to my boss. So to sum it up: 1. Samba's winbind method was a hassle. 2. Kerberos just plain did not work. 3. Pam_smb configured with authconfig worked like a charm. Since my objective was not to (implement a technology) use kerberos to authenticate, but to solve a problem (use the Windows Active Directory to authenticate), pam_smb stayed because it solved my problem in an easy way. Note to Redhat: This process should be better documented in the manuals, either the Reference Guide or the Customization Guide. Cheers, -- Javier Gostling Ingeniero de Sistemas Virtualia S.A. [EMAIL PROTECTED] Fono: +56 (2) 202-6264 x 130 Fax: +56 (2) 342-8763 Av. Kennedy 5757, of 1502 Las Condes Santiago Chile
msg89059/pgp00000.pgp
Description: PGP signature
