Mark Le Noury wrote:
Hi,
I'm getting confused about the role that kerberos authentication plays.
What exactly is the point of using kerberos to join a samba server to an
AD domain?
If using kerberos still requires you to rely on winbindd for all the
nsswitch stuff then what is the point?
I can just as easily specify
workgroup = wkgrp
security = domain
and do a
net join
Instead of doing
realm = wkgrp.krb.realm
workgoup = wkgrp
security = ADS
and doing
net ads join
Are there performance benefits/better security...what??
I think that maybe my understanding of the kerberos setup is a bit
flawed.
thanks for any replies,
Mark Le Noury
Here is an over simplified explanation. Configuring kerberos with samba
will not give you any additional features. It is definately more secure
-- the linux system will authenticate via kerberos with your AD DC.
Aside from the security bonus the only other reason you would want to
consider doing this is if your Active Directory is running in Native
Mode. If this is the case, you *have* to use kerberos if you wish to
become a full domain member. Otherwise, if you are running in Mixed
Mode (the default mode on 2000/2003) and the added benefits of kerberos
security are not a requirement, then by all means run in domain mode as
an old style NT system and enjoy being free from the headaches of
kerberos compatibility issues.
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
