Linux Authentication by Active Directory without joining to domain

active-directorybootdomainlinuxwindows-authentication

I have a Win 2008 AD based network. I want to setup a few boxes with dual boot Win/Linux. How can I achieve to authenticate the users with existing AD in Linux?

All solutions – I have found yet – join the linux boxes to the domain. I think, this is a problem in case of dual boot and the same netbios name of the client. Are there possibilities without joining to domain?

The home dir should be on a nfs4 server (linux), so I need kerberos.

Which solutions are possible, which are most stable?

Thanks for any advice!

Sepp Hofbauer

Best Answer

You can make local accounts in Linux for the users but authenticate from kerberos. When users login to Linux they will get a kerberos ticket from AD. No need to join the domain.

Related Solutions

Samba – Joining Samba to Active Directory with local user authentication

You can do this fairly easily. You need to preform all the steps for configuring users to authenticate to linux via AD (KRB config, joining the domain), up to bot NOT including the PAM changes. Then you just set SAMBA to use winbind as the authentication source. Here is an old copy of an smb.conf I've used to achieve this same effect:

#======================= Global Settings =====================================

[global]

# Domain Authntication Settings
        workgroup = <my domain>
        server string = <Sever String>
        security = ads
        passdb backend = tdbsam
        realm = <mydomain.com>
        client use spnego = yes
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <my server name>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups


#============================ Share Definitions ==============================


[share]
comment = <share comment>
path = /srv/smb/share
guest ok = yes
valid users = "DOMAIN+testUser"
read only = yes

Also, if you are using Ubuntu there is a bug in the version that was in the 10.04LTS up to a few months ago that just completely broke this setup (nobody can auth) - grab a version from the SAMBA site if this is the case

Active Directory – Common Wisdom for Linux Servers Authentication

In March 2014, Red Hat published a reference architecture for integrating Red Hat Enterprise Server with Active Directory. (This material should certainly be current and relevant.) I hate to post this as an answer, but it's really just too much material to transfer into the answer field.

This document (corrected) is hot off the press seems to focus on the new features of Red Hat Enterprise Linux (RHEL) 7. It was published for the Summit last week.

Should this link go stale, please let me know and I'll update the answer accordingly.

I have personally used WinBind fairly reliably for authentication. There's very infrequent service failure that requires someone with root or other local account to go in and bounce winbindd. This could probably be dealt with via proper monitoring if you care to put the effort into it.

It is worth noting that Centrify does have additional functionality, though this can be provided by separate configuration management. (Puppet, etc.)

Edit 6/16/14:

Red Hat Enterprise Linux 7 Windows Integration Guide

Best Answer

Related Solutions

Samba – Joining Samba to Active Directory with local user authentication

Active Directory – Common Wisdom for Linux Servers Authentication

Related Topic