CentOS magic to Active Directory login?

[srehrlich-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Scott Ehrlich)]

On Thu, Feb 18, 2010 at 8:28 PM, Edward Ned Harvey <blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org> wrote:
>> I've been trying to follow samba, centos, ldap, and other
>> documentation to try and get a CentOS 5 box to permit a user to log
>> into an existing Windows 200x Active Directory domain without
>> necessarily having the box as part of the domain. ? ?If it has to be
>> part of the domain, that is fine. ? The user shall have no local
>> account on the box - I want their active directory account to
>> automatically produce their account on the CentOS 5 box, likely with a
>> shell of bash.
>
> I am confused by a couple of things: ?If I understand you correctly, you
> want the user account to be created locally on the machine, without the
> machine joining AD, but the user account is authenticated by AD credentials.
> The only place I've ever seen anything similar to that was in Apple OD. ?A
> "Mobility User" logs in, is authenticated against the OD, but it is in fact
> created as a local user on the machine.

I did not mean to confuse.   My goal is to NOT have to create a local
account on the Linux box - to instead allow a user to log into the
Linux box as though it was a Windows box that is part of the domain -
their login credentials authenticate against a genuine Windows Active
Directory controller, see the user exists, and they are able to log
in.   Samba does have an option to give the user a shell if login is
successful.

Now, I don't care if the Linux box has actually joined the domain - I
only want the ability of the user to successfully be able to
authenticate against it and log in.  Maybe the box will need to be a
member - something I'll learn along the way.

Thanks.

Scott

>
> I think as long as your requirements are inflexible, ... good luck, it may
> be difficult or impossible. ?But there are a lot of possibilities as long as
> you're willing to give up at least *one* of your requirements. ?The
> preferable choice would be if you have the ability to join the domain. ?Then
> there are tons of options, able to auto-create local accounts upon login,
> and so on. ... ?I'll try to say more if you express any interest.
>
> Oh, one more thing.
>
> I was very surprised to learn this a year or two ago. ?You don't need to be
> a domain administrator to join a machine onto the domain. ?I was very
> surprised when one of my unprivileged users joined his laptop to my domain,
> and I was unable to repeat that using my own unprivileged account. ?I
> investigated this *extremely* thoroughly, because I thought it represented
> some sort of security breach (like he somehow got the admin pass) but that
> was not the case. ?In the end, it was proven, without anybody getting in
> trouble, that unprivileged users can sometimes join computers to domains.
> There are some restrictions, but all the websites had conflicting
> information about what the restrictions are, so I am somewhat unclear in
> that area.
>
>