On Thu, 30 Dec 2004 15:30:24 +0200, Henri Bergius <[EMAIL PROTECTED]> wrote: > > This is with Active Directory, and winbindd version 3.0.4. Move to 3.0.10.
> Additional note: I'm would like to set the system up so that > users from internal network would use NTLM and from external > PAM. The hosts are separate (http://intra and https://intra.example.com). > > However, PAM and NTLM seem to require different settings to > Samba. Yes. > For PAM to work, the setting is: > winbind use default domain = true Not quite true. You may leave it as false but users will have to enter domain part plus separator before the name. > And according to Piotras it should be for NTLM: > winbind use default domain = false This is appropriate setting and it should be used everywhere. The aforementioned option was a cludge I added years ago during our attempts to simplify Winbindd-enabled systems integration but unfortunately it does not work well most cases -- not due to code problems but by design -- it is impossible to integrate both worlds without a hitch. > Ideas? I thought NTLM shouldn't require a password as it > works through Kerberos. As to IE refusing to display the page, > that would suggest there are also other problems at work here. It depends heavily on how ADS is configured (there are 5 different modes in ADS). > Oh, and testing things from command line: > > # wbinfo -a testam2%<password> > plaintext password authentication succeeded > challenge/response password authentication succeeded What plain smbclient call shows here? Both trying to access some share with (-k) and without kerberos setup? -- / Alexander Bokovoy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
