[CentOS] samba: check password with AD without joining domain?

Thu Aug 15 17:00:12 UTC 2013
Les Mikesell <lesmikesell at gmail.com>

Is there a way to get samba to authenticate against an AD without
having to join that domain (which needs admin credentials)?    I don't
want any of the automatic user creation or mapping stuff from winbind,
just a password check instead of having to maintain a local password.

I can get that effect via kerberos for normal linux logins by using
authconfig-tui, checking kerberos, and filling in the domain/kdc
details.    Local users still have to be added to the linux system,
but where the user names match they can authenticate with their domain
password.   But, samba doesn't work that way.  Even though the
authconfig program modifies the smb.conf file, it doesn't seem to work
without joining the domain.  Is it possible to make it just
authenticate via kerberos but otherwise use the local account details
for the matching user?

   Les Mikesell
     lesmikesell at gmail.com