Ti Leggett wrote: > > The kerberos libraries are linked in for kerberos authentication to a MS > AD server not for other third party kerberos databases.
ok, from this I deduced that samba only can use a TGS and it isn't able to get a TGT for transparent Kerberos logins which in part explains why SSO isn't possible. Thank you for the explanation, Ti. > On Wed, 2005-05-04 at 19:45 +0200, Jos� M. Fandi�o wrote: > > "Jos� M. Fandi�o" wrote: > > > > > > Ti Leggett wrote: > > > > > > > > That may be true, but there is another win in this type of environment. > > > > Separation of your authentication database from your identity management > > > > database. Regardless of how you authenticate in this scenario, you will > > > > > > also there is the opposite school of thought, if you have disconnected > > > databases it makes management more difficult, i.e. keep passwords > > > synchronized > > > for different applications. > > > > > > > be sending passwords (even encrypted) over the wire. If the passwords > > > > are in a KDC then at least it's not easy to gain those passwords. If you > > > > keep your passwords in LDAP, then you need to be very careful about who > > > > has access to them. > > > > > > that is true in an environment with native kerberos authentication, but > > > > > in the samba case it isn't applicable because the password is sent to > > > PAM and this check the password against ldap send it over the wire. > > > > well, I'm a bit confused here. For Kerberos auth samba is using > > native kerberos or pam_krb5? > > > > In my test machine smbd is linked with libpam, libkrb5 and libgssapi. -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w--- O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++ G++ e- h+(++) !r !z ------END GEEK CODE BLOCK------ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
