If you set up Kerberos authentication using either pam_krb5
or pam_winbind
, then yes, you will get password-less authentication to services.
But note that the article is out of date in some places, and plain incorrect in others.
- Arch has switched to MIT Kerberos (
krb5
) long ago. Heimdal is not used. (krb5.conf
syntax remains the same.)
- Do not put
kdc
settings in krb5.conf
's [realms]
. It is better to use DNS SRV records to find this information, which is what Windows does. If the KDCs change, you shouldn't need to edit hundreds of krb5.conf
's.
- Do not put the KDC addresses in
/etc/hosts
either. Let DNS handle that.
pam_krb5
does not need to be built manually; it's in the official repositories.
- You do not need
pam_krb5
if you are using Winbind (which is the recommended way).
allow_weak_crypto
should not be necessary; both Heimdal and MIT Kerberos support the RC4-HMAC enctype used by pre-2008 Windows versions.
Is this what I'm looking for: http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm
– Walter – 2011-10-14T16:55:11.397@WalterWhite: This Ubuntu doc page looks fairly good. Also, this Microsoft article... (Sigh. Why is it so that all tutorials only explain what to do, but not why? Even worse that they often suggest entirely opposite practices. Even minor ones, such as using "/lib/security" in PAM config, still bug me... which Linux distros actually do that?)
– user1686 – 2011-10-14T17:29:19.183