On Thu, 17 Nov 2011, Les Mikesell wrote:
>> You don't *have* to join it to the domain, you can use pam_krb5 without
>> joining if you want.
>
> I don't see that as an option in authconfig (or smb either now). Are
> there examples of how to set that up? And does apache have to be
> configured separately?
With authconfig it's --enablekrb5 and the related ones for setting the
details. Since you're not worried about group membership krb5's all you need.
If pam_smb type stuff was enough then you don't need to worry about
validation, although it's definitely better if you do.
> I thought 'sufficient privs' was an admin account in AD. I don't
> have/want that, and I'd prefer for the people running the AD servers
> to continue to not know which linux servers are bouncing password
> checks their way.
No, you don't need that much. You just need permissions to create a machine
object within a specific OU, which is much lower grade. The password checks
would end up with the AD controllers, but I doubt it's anything they're likely
to notice.
> Maybe, if you have krb stuff passed through to a joined AD. I was
> hoping NTLM would still work. And I want it to also work
> transparently with local linux accounts that don't exist in AD.
On that side, I pass.
jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
