Authenticating users against AD *without* joining the domain?

Ben Scott dragonhawk at gmail.com
Wed Feb 13 12:11:43 EST 2013


On Wed, Feb 13, 2013 at 9:28 AM, Ken D'Ambrosio <ken at jots.org> wrote:
> *sigh*  Yeah, I realized (much) later that I wasn't descriptive enough.
> That's *exactly* what I'm looking to do -- basically, I see it like
> this: if they can bind to the AD server with the credentials (via LDAP,
> which is woo feasible), then I want to let them in.  And, yes, all via
> ssh.

  Okay, there are two ways to approach this.

  One is to have Linux speak LDAP to Windows, and do the auth via
LDAP.  It should basically be a pure LDAP scenario, with no knowledge
of Windows-ese stuff involved.  I don't know much about LDAP auth, but
we do have people here who do.

  The other way is to have Linux speak Windows-ese to Windows, and do
the auth via Windows-ese.  This I know (far too much) about.

  There are two ways to have Samba do Windows-ese authentication.  One
is to have Samba join the domain.  The other is to have Samba do
pass-along server authentication against a Domain Controller server.

  Joining the domain is the preferred method.  Is the situation truly
hopeless?  If you have a valid set of domain credentials, by default
that will have permission to join up to 10 members to the domain, so
we could try that and you could plead ignorance later.  OTOH, that may
be politically bad (i.e., a Career Limiting Move).  On the third hand,
can you have a dialog with the Windows admin team?  If they're letting
a Linux box on your network in the first place, one hopes they'd want
it to be subject to corporate security and all that.  (Or are you
firewalled?)

  The other method is to configure Samba with "security = server".
This basically passes credentials (username/password/hash) unprocessed
to a named Windows server, and gets the auth that way.  The problem
here is that I AFAIK this excludes winbind, which is the mechanism
Samba uses to provide a NSS/PAM compatible interface to the host OS.

  I guess this prolly doesn't help you much.  Sorry.

-- Ben


More information about the gnhlug-discuss mailing list