D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] ADS integration with winbindd

 

Kevin Tunison wrote:
> 
> As for utilizing kerberos, you have more experience with it than me (I
> have only implemented it the once thus far).  I did this because the
> reading I did included it, and it is included as an integral part of MS
> domain/AD setups.  So, I read a bit more, and it seems that the only
> advantages I can find are that it's the "standard" for mixed domain
> setups as far as MS is concerned (
> http://www.windowsecurity.com/articles/Kerberos-Authentication-Mixed-Windows-UNIX-Environment.html)
> and extending trusts outside your network (also with MS Federated
> Services in R2).

In principal you can get single sign-on, rather than just a single
username/password. But I'm not sure how far I can extend this.

I've seen documentation suggesting Kerberos will work with SMTP AUTH and
POP3 using dovecot/postfix/thunderbird|kmail|misc other MUAs, and
obviously SMB with SAMBA, but as far as I know it doesn't work with
Microsoft Outlook as the mail client?!

So whilst there would be some advantages if it was free software
everywhere, I think in other cases it makes my life harder (I'd have to
have a different /etc/pam.d/{service} file for services that don't
support kerberos, or need to support Kerberos plus another auth mechanism).

But I'd like to have the time to work it through fully, and compare the
two approaches for the software we have at work, which is probably
fairly typical.




-
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html