pam_winbind expects "DOAMIN\name" for authentication, but pam_kerberos expects just "name". Is there a trick to stack them such that the pam_winbind modules are used for account information, but the kerberos modules do the authentication (with the result being that the user has a tgt after login).
Andrew Bartlett
2003-Sep-25 23:03 UTC
[Samba] Re: Stacking pam_kerberos and pam_winbind modules
On Fri, 2003-09-26 at 02:43, Steve Smtih wrote:> pam_winbind expects "DOAMIN\name" for authentication, > but pam_kerberos expects just "name". Is there a trick > to stack them such that the pam_winbind modules are > used for account information, but the kerberos modules > do the authentication (with the result being that the > user has a tgt after login).Given that the mapping from 'short' to 'long' domain names is pretty much a windows thing (DOMAIN\name is name@FULL.DOMAIN.REALM), and the fact that people will expect NT4 trusted domains to still work, I think that one option is to extend pam_winbind to handle this. But that's all about writing new code - for existing options, for a single domain, you might want to look at setting 'winbind use default domain = yes' in your smb.conf. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030925/47f4133e/attachment.bin