I have proved that UNIX/AD Kerberos authentication works without the presence of a keytab file so I'd like to know whether I should worry about it (given I'll need an individual keytab for each server I want to provide AD authentication services on).
Home
/
user-33575
Jon's questions
It looks as though there is a solid requirement for usernames on the UNIX client and in the MSAD to match for kerberos authentication to function (I think LDAP authentication too). Is this absolutely the case?
Our infrastructure owners have a habit of changing the samaccountName without warning - implementing UNIX/MASD Kerberos/LDAP authentication like this becomes a bit of a nightmare in this situation.
Could we alter the user mapping module to reference a different AD attribute (that doesn't change) perhaps?