[Samba] Is kerberos authentication against AD possible without joining the domain?

Les Mikesell lesmikesell at gmail.com
Tue Aug 20 08:43:28 MDT 2013

On Mon, Aug 19, 2013 at 10:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> OK.
>> Most (maybe not all) of the windows boxes are already logged
>> into the domain as the appropriate user, but I don't care if those
>> domain credentials are used or not.
> You need to join the domain to do this reliably.

Joining the domain isn't going to happen.  The choices are some sort
of security=server setup or copies of local passwords on a bunch of
linux servers.

> In the past we would suggest folks use 'security=server' for this
> situation, where you want to 'pass though' authentication to another
> server, but it is not only insecure (again total trust), but is now much
> less reliable with modern clients, due to NTLMv2.  We removed
> security=server in Samba 4.0.

I'm using whatever CentOS 6.x ships - currently seems to be 3.6.9.
Does that mean security=server should work with kerberos?  (It doesn't
with whatever authconfig puts in the smb.conf file...).

> You cannot accept a kerberos ticket without joining the domain, as you
> can't decrypt it, even if you wanted to just trust it, it is an opaque
> blob until decrypted.

All I want is the password check without having to maintain copies of
the password file. And I'm already accepting it for ssh access, so I
don't see what I'd lose if samba accepts it too.

   Les Mikesell
      lesmikesell at gmail.com

More information about the samba mailing list