Re: CentOS 6 smb authentication?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien <J.H.Hodrien@xxxxxxxxxxx> wrote:
>
>> I have some services on Centos5 boxes that use smb authentication
>> against the Windows domain as a low-maintenance way to handle most of
>> our office users for things that don't need home directories (web/file
>> shares, etc.).  Running authconfig is all it takes to add it to PAM,
>> then adding mod_auth_pam to apache makes it work with that and local
>> users.  This all works without any particular involvement with the
>> Windows group or administrative access there.
>>
>> Is there a better way to do this on C6 that does not involve 'joining'
>> the windows domain?
>
> You don't *have* to join it to the domain, you can use pam_krb5 without
> joining if you want.

I don't see that as an option in authconfig (or smb either now).  Are
there examples of how to set that up?  And does apache have to be
configured separately?

> There are advantages if you do though, since a joined
> machine offering samba shares to windows users on a domain won't prompt for a
> password, as it'll use their existing kerberos ticket.  Joining *is* just a
> case of a correct smb.conf/krb5.conf and "net ads join" with an account with
> sufficient privs, so isn't really much pain for servers.

I thought 'sufficient privs' was an admin account in AD.  I don't
have/want that, and I'd prefer for the people running the AD servers
to continue to not know which linux servers are bouncing password
checks their way.

>> And is there a way to make samba (C5 or 6) work with Windows7 other
>> than configuring every client to to send NTLM authentication when
>> requested?
>
> On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just
> work.  I'm assuming that not the case?

Maybe, if you have krb stuff passed through to a joined AD.  I was
hoping NTLM would still work.  And I want it to also work
transparently with local linux accounts that don't exist in AD.

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux