"Faking" an AD Join.

Dave Daugherty dave.daugherty at centrify.com
Tue Dec 18 23:29:24 GMT 2007

> On Behalf Of Christopher R. Hertel
> Sent: Tuesday, December 18, 2007 3:15 PM

> Okay, another one...

> Other than 'security=server', is there any way to perform
> against an Active Directory Domain Controller if the admins won't
allow me
> to join my machine to the domain?

> I'm thinking not, but I'd love to be proven wrong.

> If security=server is the only option, then I still need a mechanism
> mapping IDs, possibly based on username alone (or the Domain/Username
> combo).  That mapping would need to be stored somewhere (OpenLDAP?) so
> that it is consistent across multiple servers.

> What insight can people provide?

> Chris -)-----

If you had a windows XP machine will they allow you to join that? If so,
what's the difference?

Without a real join, I think Kerberos is out.  If they give you a user
name and password so you can establish a secure channel, then you can do
NTLM pass-through authentication, and parse the response to get the
user's group list.  Samba already has a "winbind_idmap.tdb" file that
you can high-jack to create your own mappings.

Seems like a lot of hacking, but I think it could be made to work.

Dave Daugherty

More information about the samba-technical mailing list