Better support for kerberos SSO in MS AD environments

Latest response

Configuring MS AD integration using authconfig should also configure kerberos SSO for SSH and Apache


It should be clear what the preferred method and options are for joining MS AD using winbind or SSSD, especially any differences between Win2K, Win2k3, Win2k8R2.


There should be canned config statements for running a Win2k8R2 compatable Samba server such that one doesn't need to spend days poring through documentation and mailing lists to try and figure out what are the correct options to enable all available features such as ACLs and encrypted/authenticated SMB packets.


Rather than having each admin try to re-learn how to set this up from zero, include recommended canned configs for common use cases.


We're living in multi-color world, and our IT shop is mixed environment. It's really a pain, when setting up some thing that must support all. So, the more documents/best practices/howto/etc./, the better.

The Kerberos configuration for RHEL seems to be fairly well canned to work right out of the box.


Both Samba, and Apache have much greater complexity and varying configs for environments.  The biggest pain point for our own organization is incompatibilities of Samba with functional domain upgrades (say from 2003 to 2008).


There are folks out there addressing the problems of canned configs with a known working baseline configuration, which are also easily extended through the use of environment specific data structures.  The new breed of configuration management systems such as Puppet ( and Chef ( are both solutions to this problem, with a low barrier to entry.


Managing your systems in a data-driven way with configuration management will save you time and effort, in the long run.  Also, those systems become self-documenting infrastructure to be passed on to new system admins, down the road.  The active communities in that space are very good about sharing experiences and best practices with one another.