[Samba] Is kerberos authentication against AD possible without joining the domain?
Les Mikesell
lesmikesell at gmail.com
Tue Aug 20 08:43:28 MDT 2013
On Mon, Aug 19, 2013 at 10:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>
> OK.
>
>> Most (maybe not all) of the windows boxes are already logged
>> into the domain as the appropriate user, but I don't care if those
>> domain credentials are used or not.
>
> You need to join the domain to do this reliably.
Joining the domain isn't going to happen. The choices are some sort
of security=server setup or copies of local passwords on a bunch of
linux servers.
> In the past we would suggest folks use 'security=server' for this
> situation, where you want to 'pass though' authentication to another
> server, but it is not only insecure (again total trust), but is now much
> less reliable with modern clients, due to NTLMv2. We removed
> security=server in Samba 4.0.
I'm using whatever CentOS 6.x ships - currently seems to be 3.6.9.
Does that mean security=server should work with kerberos? (It doesn't
with whatever authconfig puts in the smb.conf file...).
> You cannot accept a kerberos ticket without joining the domain, as you
> can't decrypt it, even if you wanted to just trust it, it is an opaque
> blob until decrypted.
All I want is the password check without having to maintain copies of
the password file. And I'm already accepting it for ssh access, so I
don't see what I'd lose if samba accepts it too.
--
Les Mikesell
lesmikesell at gmail.com
More information about the samba
mailing list