[Samba] Is kerberos authentication against AD possible without joining the domain?

Andrew Bartlett abartlet at samba.org
Tue Aug 20 15:02:25 MDT 2013 

On Tue, 2013-08-20 at 09:43 -0500, Les Mikesell wrote:
> On Mon, Aug 19, 2013 at 10:29 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > OK.
> >
> >> Most (maybe not all) of the windows boxes are already logged
> >> into the domain as the appropriate user, but I don't care if those
> >> domain credentials are used or not.
> >
> > You need to join the domain to do this reliably.
> 
> Joining the domain isn't going to happen.  The choices are some sort
> of security=server setup or copies of local passwords on a bunch of
> linux servers.

You may have to resort to that, or ask to join the domain just the same
as any laptop, desktop or member server.  Typically in AD every user in
the domain has the right to join a small number of machines without
needing the administrator password. 

I realize that organizational politics are more complex that that, but
this remains my advise. 

> > In the past we would suggest folks use 'security=server' for this
> > situation, where you want to 'pass though' authentication to another
> > server, but it is not only insecure (again total trust), but is now much
> > less reliable with modern clients, due to NTLMv2.  We removed
> > security=server in Samba 4.0.
> 
> I'm using whatever CentOS 6.x ships - currently seems to be 3.6.9.
> Does that mean security=server should work with kerberos?  (It doesn't
> with whatever authconfig puts in the smb.conf file...).

authconfig does not configure Samba, as far as I'm aware.
security=server is sill a supported feature in that release, but it is
known that it does not work with many modern clients. 

> > You cannot accept a kerberos ticket without joining the domain, as you
> > can't decrypt it, even if you wanted to just trust it, it is an opaque
> > blob until decrypted.
> 
> All I want is the password check without having to maintain copies of
> the password file. And I'm already accepting it for ssh access, so I
> don't see what I'd lose if samba accepts it too.

I know what you want, and I'm telling you that we dropped this feature
for good reason.  Additionally, because Samba does not accept plain text
passwords, we cannot simply use Kerberos in the same way pam_krb5
does.  

Use of security=server is at your own risk, both in terms of security
and in terms of configuring clients not to send NTLMv2 to the Samba
server.

I hope this clarifies things. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list