From: [EMAIL PROTECTED] > That's not an easy scenario. > > Perhaps the simplest solution would work for you.
[snip login shell] [snip read file from UNC] [snip cartwheels and demonic contortions] 'A' for creativity, F for "solution != simplest". If the users are logging into Windows workstations, they'll pull a Kerberos ticket from the KDC upon login. You can *in theory* use a Kerberized version of PuTTY (GSSAPI support), or any other Win32 SSH client that supports krb5/gssapi to facilitate your authpf against the OpenBSD box that hopefully should be able to participate in your ADS kerberos realm. That said, lots of shoulds and I haven't done it, but if it works it's far simpler and more maintainable... DS
