Les Mikesell
2013-Aug-15 17:00 UTC
[CentOS] samba: check password with AD without joining domain?
Is there a way to get samba to authenticate against an AD without having to join that domain (which needs admin credentials)? I don't want any of the automatic user creation or mapping stuff from winbind, just a password check instead of having to maintain a local password. I can get that effect via kerberos for normal linux logins by using authconfig-tui, checking kerberos, and filling in the domain/kdc details. Local users still have to be added to the linux system, but where the user names match they can authenticate with their domain password. But, samba doesn't work that way. Even though the authconfig program modifies the smb.conf file, it doesn't seem to work without joining the domain. Is it possible to make it just authenticate via kerberos but otherwise use the local account details for the matching user? -- Les Mikesell lesmikesell at gmail.com
Natxo Asenjo
2013-Aug-15 21:49 UTC
[CentOS] samba: check password with AD without joining domain?
Do you require samba or do you just want linux users to authenticate to AD? Samba when configured to work in a domain must be joined to the AD domain. By the way, unless the admins have changed the defaults, any authenticated user can join up to 10 hosts to an AD domain (search ms-DS-MachineAccountQuota on your favorite search engine). If you want your linux hosts to login using AD credentials, I haven't tried it yet, but using sssd with msktutil should work with some trial and error: http://theblitzbit.com/2013/04/08/make-red-hat-talk-to-windows/ instead of using the samba bits, use msktutil, works much better (rpms in repoforge). The rest should be the same. -- Groeten, natxo On Thu, Aug 15, 2013 at 7:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:> Is there a way to get samba to authenticate against an AD without > having to join that domain (which needs admin credentials)? I don't > want any of the automatic user creation or mapping stuff from winbind, > just a password check instead of having to maintain a local password. > > I can get that effect via kerberos for normal linux logins by using > authconfig-tui, checking kerberos, and filling in the domain/kdc > details. Local users still have to be added to the linux system, > but where the user names match they can authenticate with their domain > password. But, samba doesn't work that way. Even though the > authconfig program modifies the smb.conf file, it doesn't seem to work > without joining the domain. Is it possible to make it just > authenticate via kerberos but otherwise use the local account details > for the matching user? > > -- > Les Mikesell > lesmikesell at gmail.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos