[Samba] Is kerberos authentication against AD possible without joining the domain?

Les Mikesell lesmikesell at gmail.com
Wed Aug 21 09:51:33 MDT 2013

On Tue, Aug 20, 2013 at 4:02 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> >> >> Most (maybe not all) of the windows boxes are already logged
>> >> into the domain as the appropriate user, but I don't care if those
>> >> domain credentials are used or not.
>> >
>> > You need to join the domain to do this reliably.
>> Joining the domain isn't going to happen.  The choices are some sort
>> of security=server setup or copies of local passwords on a bunch of
>> linux servers.
> You may have to resort to that, or ask to join the domain just the same
> as any laptop, desktop or member server.  Typically in AD every user in
> the domain has the right to join a small number of machines without
> needing the administrator password.
> I realize that organizational politics are more complex that that, but
> this remains my advise.

Yes, the reasons aren't strictly technical, but these machines aren't
joining the domain....   There are both the issues of the people with
appropriate credentials being elsewhere and the fact that while I
trust them to maintain accounts, there's no reason for them to be
logging into these boxes.

>> > In the past we would suggest folks use 'security=server' for this
>> > situation, where you want to 'pass though' authentication to another
>> > server, but it is not only insecure (again total trust), but is now much
>> > less reliable with modern clients, due to NTLMv2.  We removed
>> > security=server in Samba 4.0.
>> I'm using whatever CentOS 6.x ships - currently seems to be 3.6.9.
>> Does that mean security=server should work with kerberos?  (It doesn't
>> with whatever authconfig puts in the smb.conf file...).
> authconfig does not configure Samba, as far as I'm aware.

Look at the section of /usr/share/authconfig/authinfo.py commented as:
 # Write winbind settings to /etc/samba/smb.conf.
This seems to happen if kerberos is specified, but doesn't work.

>> All I want is the password check without having to maintain copies of
>> the password file. And I'm already accepting it for ssh access, so I
>> don't see what I'd lose if samba accepts it too.
> I know what you want, and I'm telling you that we dropped this feature
> for good reason.  Additionally, because Samba does not accept plain text
> passwords, we cannot simply use Kerberos in the same way pam_krb5
> does.

So it is technically impossible?   I guess I'll just tell everyone to
use winscp instead of trying to map files, then.

   Les Mikesell
     lesmikesell at gmail.com

More information about the samba mailing list