[Samba] Is kerberos authentication against AD possible without joining the domain?

Les Mikesell lesmikesell at gmail.com
Mon Aug 19 17:22:21 MDT 2013 

On Mon, Aug 19, 2013 at 5:40 PM, Andrew Bartlett <abartlet at samba.org> wrote:

>> On CentOS (and presumably RHEL), the authconfig tool can set up
>> kerberos authentication via PAM so that locally added users can be
>> authenticated at the shell/ssh level if the password they use succeeds
>> for the matching user name in Active Directory - and this works
>> without joining the linux box to the domain.   Now I'd like those
>> linux users to be able to map their home directories from a windows
>> box using that same password.   Is this possible without joining the
>> linux host to the active directory domain?  I don't care if they have
>> to re-enter the password instead of using their domain credentials
>> directly, I just don't want to have to maintain a local password on
>> the linux side for people who already exist in AD.   And I don't want
>> to join the domain.
>
> As you have found out, you can to this with pam_krb5 but you have no
> assurance that the AD DC is indeed the AD DC, as there is no local
> cryptographic material (the machine account password) with which to
> verify the ticket.  If 'something' issues a ticket, then the user will
> be authenticated.  This is not secure.

All I want is a check that the password  the user gave is correct.  If
it is good enough for ssh  it should be good enough for samba service.
 (And it's all on a firewalled private network so not particularly
exposed).

> That is why windows workstations and linux workstations should both be
> joined to the domain.

You need admin credentials for that - and the people managing the AD
are all in a different group in a different office.

> As to, one way or other using this password to map a directory, look
> into things like pam_mount.  The login will have generated a kerberos
> credentials cache.  This doesn't change on being part of the domain or
> not.

I want to go the other direction - that is to have the samba server on
the linux box serving the user's home directories to their windows
desktop boxes using the same credentials as they'd use for shell
logins.   Most (maybe not all) of the windows boxes are already logged
into the domain as the appropriate user, but I don't care if those
domain credentials are used or not.

-- 
  Les Mikesell
    lesmikesell at gmail.com

More information about the samba mailing list