I've installed samba+winbind for 2k users. I had set up my stations tu use
winbind for all, and the backend used is ldap.
Now with a little more infos, I will probably change the authentification on
computers to use krb5 + credential caching, so ppl will get a kerberos ticket
and get SSO like for windows users.
For changing their password, it works with kerberos, with "kpasswd
user@REALM"
What isn't working is the "change password at first login" set up
by windows,
but I didn't get further into that, only removed that.
Le Lundi 21 Mars 2005 04:46, AD. a ?crit?:> Hi all,
>
> I am just after some opinions about the pros and cons of winbind
> compared to the 'standard' kerberos and ldap methods. I've have
> already got single sign on working with pam_krb5 and nss_ldap (using
> SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as
> clients/'member servers', and integration of Samba is the next bit
I'm
> looking at.
>
> The impressions I get are (corrections welcome):
>
> Winbind should be a bit simpler to set up than the pam/nss option, and
> mean a bit less work entering UIDs and GIDs etc into Active Directory
> and generating keytabs etc.
>
> Using the standard kerberos/ldap methods should give more flexibility
> for integrating with other unix based services eg consistent uid
> mapping between machines (when using Active Directory at least) etc.
>
> Winbind users need to log on using DOMAIN\USER, while pam_krb5 users
> just need to use USER for their default realm. Or am I wrong about
> that one?
>
> Winbind users can change their AD password while pam_krb5 users can't
> (at this stage).
>
>
> Now for some questions...
>
> Is it possible or is there any value in using both winbind and
> pam_krb5/nss_ldap together? How would they integrate?
>
> If it's even possible, what would I miss out on if not using winbind?
> I presume there still needs to be some sort of SID mapping going on
> for Samba to do its stuff?