Hi, On Wed, Nov 15, 2006 at 06:03:37PM -0000, Gautier, B (Bob) wrote: > ... > I'm not entirely clear what you want to do, but you could look > at using just pam_krb5 (i.e. use AD's Kerberos functionality > for authentication) - that way, you won't need a domain join.
pam_krb5 should validate the users ticket granting ticket. Otherwise authentication ist not secure. Validation is performed by requesting a service ticket (for the host principal) an decrypting that ticket with a key from the keytab (/etc/krb5.keytab). So pam_krb5 needs a keytab file to operate securely. One of the easiest way to get that keytab is samba's "net ads join" - Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
