top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

samba to authenticate against an AD without having to join that domain

+1 vote
589 views

Is there a way to get samba to authenticate against an AD without having to join that domain (which needs admin credentials)? I don't want any of the automatic user creation or mapping stuff from winbind, just a password check instead of having to maintain a local password.

I can get that effect via kerberos for normal linux logins by using authconfig-tui, checking kerberos, and filling in the domain/kdc details. Local users still have to be added to the linux system, but where the user names match they can authenticate with their domain password. But, samba doesn't work that way. Even though the authconfig program modifies the smb.conf file, it doesn't seem to work without joining the domain. Is it possible to make it just authenticate via kerberos but otherwise use the local account details
for the matching user?

posted Aug 15, 2013 by Abhay Kulkarni

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

Do you require samba or do you just want linux users to authenticate to AD?

Samba when configured to work in a domain must be joined to the AD domain. By the way, unless the admins have changed the defaults, any authenticated user can join up to 10 hosts to an AD domain (search ms-DS-MachineAccountQuota on your favorite search engine).

If you want your linux hosts to login using AD credentials, I haven't tried it yet, but using sssd with msktutil should work with some trial and error:

http://theblitzbit.com/2013/04/08/make-red-hat-talk-to-windows/

instead of using the samba bits, use msktutil, works much better (rpms in repoforge). The rest should be the same.

answer Aug 15, 2013 by Sonu Jindal
0 votes

Last time I checked a few years ago I don't think AD supported an LDAP anonymous bind, so you may need to bind as that user in order to validate the creds.

answer Aug 16, 2013 by Satish Mishra
Similar Questions
0 votes

I am writing a command line tool in python to generate one time passwords/tokens. The command line tool will have certain sub-commands like --generate-token and --list-all-tokens for example. I want to restrict access to certain sub-commands. In this case, when user tries to generate a new token, I want him/her to authenticate against AD server first.

I have looked at python-ldap and I am even able to bind to the AD server. In my application I have a function

 def authenticate_user(username, password): pass

which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?

+2 votes

we are connecting to oracle using korn shell scripts, which use sqlplus to connect to oracle. the oracle database is on the same Solaris box. Currently, we are storing oracle user id and passowrd (plain text) in a file in the .ssh folder of the connecting user, with 400 permission bits.

The DBAs are objecting to this way of working, citing the fact that we are using plain text password for authentication. When we offered that we'd encode the password using base64, they still didnt like the idea, citing that we'd still decrypt the password in the shell script and transmit the password over network.

Now, I want to understand this-

I have been reading that oracle encrypts/hashes the password string, before transmitting it. I cant find the reference right now though, however, I still want to confirm my understanding. Is it really like this ? we are on 11g r2, would that make a difference ?

would i be able to login to sqlplus without decrypting the password hash ? e.g. DBAs set a password, pass on the hash to me. I put that in a file, and supply to sqlplus as a parameter. Is there some way by which this kind of authentication work ? I know some tools do allow that, if you encode using their tool, they are able to decrypt the value and use it for authentication. does oracle ??

Help me fellas..

+2 votes

I'd like to change from Samba 3.0.33 to 3.6.6. Reason: WINDOWS 7 and PDC

Is something to consider when changing (config-Files or so on)? Have I to uninstall Samba 3.0.33 before or just run an update?

...