[CentOS] samba: check password with AD without joining domain?

Fri Aug 16 03:29:14 UTC 2013
Les Mikesell <lesmikesell at gmail.com>

On Thu, Aug 15, 2013 at 8:44 PM, Stephen Harris <lists at spuddy.org> wrote:
> On Thu, Aug 15, 2013 at 06:40:54PM -0700, Devin Reade wrote:
>> Last time I checked a few years ago I don't think AD supported an LDAP anonymous bind, so you may need to bind as that user in order to validate the creds.
> AD is kerberos for authentication.  If you just want to authenticate user
> "xyzzy" to AD with password (as opposed to krb keys) then just configure
> /etc/krb5.conf to point to an AD domain controller.
> Don't need LDAP at all.
> Everything else (samba, ldap, etc) gives closer integration, but isn't
> essential for pure 'AD password' authentication.

Authconfig sets that up with pam when you pick kerberos authentication
and it works fine for linux user logins (console, ssh, etc.).   What I
want in addition is for those users to be able to map their home
directories from a windows box using that same login/password.   I
don't really care if they have to enter it explicitly for the share or
if whatever windows does because they are already logged into the
domain, I just don't want to manage a separate copy of each user's
password.  And what authconfig puts in the smb.conf doesn't seem to
work that way.   I used to be able to use security=server against an
older style windows domain controller, but I think the AD domain has
been upgraded and no longer has that backwards compatibility mode.

  Les Mikesell
    lesmikesell at gmail.com