[Samba] Is kerberos authentication against AD possible without joining the domain?

Andrew Bartlett abartlet at samba.org
Mon Aug 19 16:40:17 MDT 2013

On Mon, 2013-08-19 at 17:17 -0500, Les Mikesell wrote:
> On CentOS (and presumably RHEL), the authconfig tool can set up
> kerberos authentication via PAM so that locally added users can be
> authenticated at the shell/ssh level if the password they use succeeds
> for the matching user name in Active Directory - and this works
> without joining the linux box to the domain.   Now I'd like those
> linux users to be able to map their home directories from a windows
> box using that same password.   Is this possible without joining the
> linux host to the active directory domain?  I don't care if they have
> to re-enter the password instead of using their domain credentials
> directly, I just don't want to have to maintain a local password on
> the linux side for people who already exist in AD.   And I don't want
> to join the domain.

As you have found out, you can to this with pam_krb5 but you have no
assurance that the AD DC is indeed the AD DC, as there is no local
cryptographic material (the machine account password) with which to
verify the ticket.  If 'something' issues a ticket, then the user will
be authenticated.  This is not secure.

That is why windows workstations and linux workstations should both be
joined to the domain. 

As to, one way or other using this password to map a directory, look
into things like pam_mount.  The login will have generated a kerberos
credentials cache.  This doesn't change on being part of the domain or

I hope this helps,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list