Les Mikesell
2013-Aug-19 22:17 UTC
[Samba] Is kerberos authentication against AD possible without joining the domain?
On CentOS (and presumably RHEL), the authconfig tool can set up
kerberos authentication via PAM so that locally added users can be
authenticated at the shell/ssh level if the password they use succeeds
for the matching user name in Active Directory - and this works
without joining the linux box to the domain. Now I'd like those
linux users to be able to map their home directories from a windows
box using that same password. Is this possible without joining the
linux host to the active directory domain? I don't care if they have
to re-enter the password instead of using their domain credentials
directly, I just don't want to have to maintain a local password on
the linux side for people who already exist in AD. And I don't want
to join the domain.
--
Les Mikesell
lesmikesell at gmail.com
Andrew Bartlett
2013-Aug-19 22:40 UTC
[Samba] Is kerberos authentication against AD possible without joining the domain?
On Mon, 2013-08-19 at 17:17 -0500, Les Mikesell wrote:> On CentOS (and presumably RHEL), the authconfig tool can set up > kerberos authentication via PAM so that locally added users can be > authenticated at the shell/ssh level if the password they use succeeds > for the matching user name in Active Directory - and this works > without joining the linux box to the domain. Now I'd like those > linux users to be able to map their home directories from a windows > box using that same password. Is this possible without joining the > linux host to the active directory domain? I don't care if they have > to re-enter the password instead of using their domain credentials > directly, I just don't want to have to maintain a local password on > the linux side for people who already exist in AD. And I don't want > to join the domain.As you have found out, you can to this with pam_krb5 but you have no assurance that the AD DC is indeed the AD DC, as there is no local cryptographic material (the machine account password) with which to verify the ticket. If 'something' issues a ticket, then the user will be authenticated. This is not secure. That is why windows workstations and linux workstations should both be joined to the domain. As to, one way or other using this password to map a directory, look into things like pam_mount. The login will have generated a kerberos credentials cache. This doesn't change on being part of the domain or not. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz