On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <[email protected]> wrote:
> While this is true, people who get paid a lot more than I do decided we > shouldn't be pointing authentication to individual machines and instead use > domain lookups, which winbind does nicely. I was able to replicate the old > functionality by pointing the pam stack directly to dc01.domain.com, but > that defeats the purpose of having a decentralized authentication system. Any Kerberos implementation worth its salt should be able to use SRV lookups, which Active Directory supports, to autodiscover the KDCs. Moreover, even when explicit specification is necessary, you do not normally specify them in the PAM stack but in /etc/krb5.conf. Where (which module) and why are you having to specify KDC machines within/as part of the PAM stack? -- brandon s allbery [email protected] wandering unix systems administrator (available) (412) 475-9364 vm/sms
