Samba: Check Password With AD Without Joining Domain?

Home » CentOS » Samba: Check Password With AD Without Joining Domain?
CentOS 4 Comments

Is there a way to get samba to authenticate against an AD without having to join that domain (which needs admin credentials)? I don’t want any of the automatic user creation or mapping stuff from winbind, just a password check instead of having to maintain a local password.

I can get that effect via kerberos for normal linux logins by using authconfig-tui, checking kerberos, and filling in the domain/kdc details. Local users still have to be added to the linux system, but where the user names match they can authenticate with their domain password. But, samba doesn’t work that way. Even though the authconfig program modifies the smb.conf file, it doesn’t seem to work without joining the domain. Is it possible to make it just authenticate via kerberos but otherwise use the local account details for the matching user?

4 thoughts on - Samba: Check Password With AD Without Joining Domain?

  • Do you require samba or do you just want linux users to authenticate to AD?

    Samba when configured to work in a domain must be joined to the AD
    domain. By the way, unless the admins have changed the defaults, any authenticated user can join up to 10 hosts to an AD domain (search ms-DS-MachineAccountQuota on your favorite search engine).

    If you want your linux hosts to login using AD credentials, I haven’t tried it yet, but using sssd with msktutil should work with some trial and error:

    instead of using the samba bits, use msktutil, works much better (rpms in repoforge). The rest should be the same.

  • Last time I checked a few years ago I don’t think AD supported an LDAP anonymous bind, so you may need to bind as that user in order to validate the creds.

  • AD is kerberos for authentication. If you just want to authenticate user
    “xyzzy” to AD with password (as opposed to krb keys) then just configure
    /etc/krb5.conf to point to an AD domain controller.

    Don’t need LDAP at all.

    Everything else (samba, ldap, etc) gives closer integration, but isn’t essential for pure ‘AD password’ authentication.

  • Authconfig sets that up with pam when you pick kerberos authentication and it works fine for linux user logins (console, ssh, etc.). What I
    want in addition is for those users to be able to map their home directories from a windows box using that same login/password. I
    don’t really care if they have to enter it explicitly for the share or if whatever windows does because they are already logged into the domain, I just don’t want to manage a separate copy of each user’s password. And what authconfig puts in the smb.conf doesn’t seem to work that way. I used to be able to use security=server against an older style windows domain controller, but I think the AD domain has been upgraded and no longer has that backwards compatibility mode.