Re: [Hampshire] Happy Happy Joy Joy

> Surely it's really only LDAP + Kerberos + custom LDAP schema?
> You can authenticate directly against AD as it stands using only pam_ldap
> and
> pam_krb5 - no samba requirement at all.

AIUI, the Privilege Attribute Certificate (PAC) screws things up royally.

I'm no expert, but what I've read seems to say that AD blurs the line
between authentication and authorisation - whether this is to try to
squeeze some performance out of it or to frustrate interoperability is a
matter of debate...

Vic.