[Samba] Is kerberos authentication against AD possible without joining the domain?

Andrew Bartlett abartlet at samba.org
Mon Aug 19 21:29:25 MDT 2013 

On Mon, 2013-08-19 at 18:22 -0500, Les Mikesell wrote:
> On Mon, Aug 19, 2013 at 5:40 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> 
> >> On CentOS (and presumably RHEL), the authconfig tool can set up
> >> kerberos authentication via PAM so that locally added users can be
> >> authenticated at the shell/ssh level if the password they use succeeds
> >> for the matching user name in Active Directory - and this works
> >> without joining the linux box to the domain.   Now I'd like those
> >> linux users to be able to map their home directories from a windows
> >> box using that same password.   Is this possible without joining the
> >> linux host to the active directory domain?  I don't care if they have
> >> to re-enter the password instead of using their domain credentials
> >> directly, I just don't want to have to maintain a local password on
> >> the linux side for people who already exist in AD.   And I don't want
> >> to join the domain.
> >
> > As you have found out, you can to this with pam_krb5 but you have no
> > assurance that the AD DC is indeed the AD DC, as there is no local
> > cryptographic material (the machine account password) with which to
> > verify the ticket.  If 'something' issues a ticket, then the user will
> > be authenticated.  This is not secure.
> 
> All I want is a check that the password  the user gave is correct.  If
> it is good enough for ssh  it should be good enough for samba service.
>  (And it's all on a firewalled private network so not particularly
> exposed).
> 
> > That is why windows workstations and linux workstations should both be
> > joined to the domain.
> 
> You need admin credentials for that - and the people managing the AD
> are all in a different group in a different office.
> 
> > As to, one way or other using this password to map a directory, look
> > into things like pam_mount.  The login will have generated a kerberos
> > credentials cache.  This doesn't change on being part of the domain or
> > not.
> 
> I want to go the other direction - that is to have the samba server on
> the linux box serving the user's home directories to their windows
> desktop boxes using the same credentials as they'd use for shell
> logins.   

OK.

> Most (maybe not all) of the windows boxes are already logged
> into the domain as the appropriate user, but I don't care if those
> domain credentials are used or not.

You need to join the domain to do this reliably. 

In the past we would suggest folks use 'security=server' for this
situation, where you want to 'pass though' authentication to another
server, but it is not only insecure (again total trust), but is now much
less reliable with modern clients, due to NTLMv2.  We removed
security=server in Samba 4.0.

You cannot accept a kerberos ticket without joining the domain, as you
can't decrypt it, even if you wanted to just trust it, it is an opaque
blob until decrypted. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list