Winbind with Kerberos Woes
I hope this is the right forum for this issue, but please move it if not.
I've been given the task of integrating some Red Hat Enterprise Linux 6 Update 3 servers with our MS Active Directory, which I also administer.
I'm pleased to say I've suceeded in getting logons (local and ssh) working with winbind/samba, using the rid backend for id mapping, and it's all working well.
My question though is about the authentication mechanisms in use. All of the guides, for example Red Hat's own one (Google: red hat linux active directory), talk about Kerberos, and have you configuring krb5.conf and testing it with kinit/klist etc.
This is fine, but when it comes to the process of logging on to the machine with an AD account, Kerberos isn't used at all it appears. NTLM (the horror) is what's doing the authentication.
I came up against this fact because in our domain we restrict the use of NTLMv1 because it's scary from a security standpoint. Logins via Winbind/Samba failed because they were trying to use NTLMv1. I configured winbind to use NTLMv2 using 'client ntlmv2 auth = yes' in smb.conf, and bingo, it worked!
In fact, I found that I could completely disable and uninstall Kerberos from the machine, and the AD logon still worked, through NTLM of course.
So I now have two questions:
1) Why do all the guides talk about kerberos, when you don't need it, nor is it even used by default, for winbind based authentication? I'm sure there is a reason, the authors are not stupid, so I'd like to know what that reason is.
2) More importantly, is there any way to force Kerberos authentication and get rid of the dependency on NTLM, which even MS themselves are starting to discourage now? I looked at my pam.d directory and experimented a little with pam_krb5 directives but I couldn't get it working. I'd appreciate a pointer in the right direction from someone who knows the full story really.
Looking forward to any responses...