"Faking" an AD Join.
Dave Daugherty
dave.daugherty at centrify.com
Tue Dec 18 23:29:24 GMT 2007
> On Behalf Of Christopher R. Hertel
> Sent: Tuesday, December 18, 2007 3:15 PM
> Okay, another one...
> Other than 'security=server', is there any way to perform
authentication
> against an Active Directory Domain Controller if the admins won't
allow me
> to join my machine to the domain?
> I'm thinking not, but I'd love to be proven wrong.
> If security=server is the only option, then I still need a mechanism
for
> mapping IDs, possibly based on username alone (or the Domain/Username
> combo). That mapping would need to be stored somewhere (OpenLDAP?) so
> that it is consistent across multiple servers.
> What insight can people provide?
> Chris -)-----
If you had a windows XP machine will they allow you to join that? If so,
what's the difference?
Without a real join, I think Kerberos is out. If they give you a user
name and password so you can establish a secure channel, then you can do
NTLM pass-through authentication, and parse the response to get the
user's group list. Samba already has a "winbind_idmap.tdb" file that
you can high-jack to create your own mappings.
Seems like a lot of hacking, but I think it could be made to work.
Dave Daugherty
More information about the samba-technical
mailing list