No problem, now let's just hope I'm right in my explanation ;) On Thu, 2005-05-05 at 12:11 +0200, Jos� M. Fandi�o wrote: > Ti Leggett wrote: > > > > The kerberos libraries are linked in for kerberos authentication to a MS > > AD server not for other third party kerberos databases. > > ok, from this I deduced that samba only can use a TGS and it isn't able > to get a TGT for transparent Kerberos logins which in part explains why > SSO isn't possible. > > Thank you for the explanation, Ti. > > > On Wed, 2005-05-04 at 19:45 +0200, Jos� M. Fandi�o wrote: > > > "Jos� M. Fandi�o" wrote: > > > > > > > > Ti Leggett wrote: > > > > > > > > > > That may be true, but there is another win in this type of > > > > > environment. > > > > > Separation of your authentication database from your identity > > > > > management > > > > > database. Regardless of how you authenticate in this scenario, you > > > > > will > > > > > > > > also there is the opposite school of thought, if you have disconnected > > > > databases it makes management more difficult, i.e. keep passwords > > > > synchronized > > > > for different applications. > > > > > > > > > be sending passwords (even encrypted) over the wire. If the passwords > > > > > are in a KDC then at least it's not easy to gain those passwords. If > > > > > you > > > > > keep your passwords in LDAP, then you need to be very careful about > > > > > who > > > > > has access to them. > > > > > > > > that is true in an environment with native kerberos authentication, but > > > > > > > in the samba case it isn't applicable because the password is sent to > > > > PAM and this check the password against ldap send it over the wire. > > > > > > well, I'm a bit confused here. For Kerberos auth samba is using > > > native kerberos or pam_krb5? > > > > > > In my test machine smbd is linked with libpam, libkrb5 and libgssapi. > > -- > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w--- > O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++ > G++ e- h+(++) !r !z > ------END GEEK CODE BLOCK------
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
