1 The Windows domain controller providing both LDAP and KDC (Key Distribu-tion Center) services is located.2 A machine account for the joining client is created in the directory service.3 An initial ticket granting ticket (TGT) is obtained for the client and stored in itslocal Kerberos credential cache. The client needs this TGT to get further ticketsallowing it to contact other services, like contacting the directory server for LDAPqueries.4 NSS and PAM configurations are adjusted to enable the client to authenticateagainst the domain controller.During client boot, the winbind daemon is started and retrieves the initial Kerberosticket for the machine account. winbindd automatically refreshes the machine's ticketto keep it valid. To keep track of the current account policies, winbindd periodicallyqueries the domain controller.5.2.2 Domain Login and User HomesThe login managers of GNOME and KDE (GDM and KDM) have been extended toallow the handling of AD domain login. Users can choose to log in to the primary domainthe machine has joined or to one of the trusted domains with which the domain controllerof the primary domain has established a trust relationship.User authentication is mediated by a number of PAM modules as described in Sec-tion 5.2, “Background Information for Linux AD Support” (page 68). The pam_winbind module used to authenticate clients against Active Directory or NT4 domainsis fully aware of Windows error conditions that might prohibit a user's login. TheWindows error codes are translated into appropriate user-readable error messages thatPAM gives at login through any of the supported methods (GDM, KDM, console, andSSH):Password has expiredThe user sees a message stating that the password has expired and needs to bechanged. The system prompts directly for a new password and informs the user ifthe new password does not comply with corporate password policies, for example,the password is too short, too simple, or already in the history. If a user's passwordchange fails, the reason is shown and a new password prompt is given.Active Directory Support 71