On 13 Oct 2008, at 23:21, Alan McKinnon wrote:
...
Should I be looking into winbind?
Or configure kerberos to join the domain and have all my apps use
that?
Some ldap-proxy type setup?
Pointers to howtos and opinions on what's worth the effort are all
that I'm
after today - I can read the details in the man pages myself once I
have a
known direction to follow. If my three ideas above sound stupid,
that's
because they probably are :-)
I don't think winbind is an answer - I use it myself on an IMAP
server, allowing the users to use the same password for their email as
they do for the domain, and I don't immediately see how it could be
configured to in some way behave in a manner which would alleviate
your problem.
The solution which seems most obvious to me is to reboot your laptop
when changing your domain password (or even just log out?), so that
all these services are no longer running in the background with the
old password saved. Also, you could perhaps ask your IT department to
change their security policy to reduce the number of occasions upon
which you need to inconvenience them; instead of 3 attempts locking
you out permanently and requiring a manual reset, if they locked you
out for only 5 minutes you would perhaps have time to realise there's
a problem and fix it.
IMO any client being denied access with a "bad password" type response
should STOP AND ASK for a corrected password, rather than persistently
trying with a user:pass it has been told to be invalid. Is it possible
your klient apps are somehow misconfigured? If not, perhaps you should
file upstream bugs.
Stroller.
