[CentOS] samba: check password with AD without joining domain?

[Natxo Asenjo]

Do you require samba or do you just want linux users to authenticate to AD?

Samba when configured to work in a domain must be joined to the AD
domain. By the way, unless the admins have changed the defaults, any
authenticated user can join up to 10 hosts to an AD domain (search
ms-DS-MachineAccountQuota on your favorite search engine).

If you want your linux hosts to login using AD credentials, I haven't
tried it yet, but using sssd with msktutil should work with some trial
and error:

http://theblitzbit.com/2013/04/08/make-red-hat-talk-to-windows/

instead of using the samba bits, use msktutil, works much better (rpms
in repoforge). The rest should be the same.
--
Groeten,
natxo


On Thu, Aug 15, 2013 at 7:00 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
> Is there a way to get samba to authenticate against an AD without
> having to join that domain (which needs admin credentials)?    I don't
> want any of the automatic user creation or mapping stuff from winbind,
> just a password check instead of having to maintain a local password.
>
> I can get that effect via kerberos for normal linux logins by using
> authconfig-tui, checking kerberos, and filling in the domain/kdc
> details.    Local users still have to be added to the linux system,
> but where the user names match they can authenticate with their domain
> password.   But, samba doesn't work that way.  Even though the
> authconfig program modifies the smb.conf file, it doesn't seem to work
> without joining the domain.  Is it possible to make it just
> authenticate via kerberos but otherwise use the local account details
> for the matching user?
>
> --
>    Les Mikesell
>      lesmikesell at gmail.com
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos