Samba&Winbindd/mit-krb5/2003ads authentication

What is the "correct" way of authentication against an AD with krb5 on linux? I currently have a rh9 test server with samba-3.0.5, krb5-1.3.4, and pam_krb5-1.3-rc7.

I'm wanting to have different services use pam to authenticate against the windows AD, so I'm frying my brain on setting up pam to do the authentication correctly so that local users have access to some things and windows users have access to others. For example, I started mucking with /etc/pam.d/ssh to use winbind for auth (with security=ads in smb.conf), then I realized I needed to use pam_krb5 in order to hit the windows k5 server....I can get logged in but klist doesn't show any tickets cached. If I am authenticated against the kerberos server I should have a ticket cached, right? To sum it up, I'm lost. I've read the docs at samba's site, and they are great docs but they don't seem to cover integration with other services that in depth.

Any tips on this project?

Thanks!

jay

This is something I've been working on. I'm using pam_winbind.so rather than pam_krb5, which works with caveats...

I discovered that the services on Linux don't have consistent authentication behaviour. Some use PAM but a number of the big-name services don't, and handle authentication themselves. Those that do support PAM aren't guaranteed to support all of the modules.

SSH turns out to be a bad test case because it will fail unless the user has a valid home directory, so I initially added pam_mkhomedir.so to the PAM stack as well. Not all of the other services that require home directories support pam_mkhomedir.so, so I ended up abandoning the pam_mkhomedir.so approach and wrote a script that creates home directories on the Linux box for all AD users.

My (more or less final) notes are here:

http://www.se.clara.net/notes/linux-with-ad.html