CentOS magic to Active Directory login?

[Scott Ehrlich]

On Thu, Feb 18, 2010 at 8:28 PM, Edward Ned Harvey <blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org> wrote:
>> I've been trying to follow samba, centos, ldap, and other
>> documentation to try and get a CentOS 5 box to permit a user to log
>> into an existing Windows 200x Active Directory domain without
>> necessarily having the box as part of the domain.    If it has to be
>> part of the domain, that is fine.   The user shall have no local
>> account on the box - I want their active directory account to
>> automatically produce their account on the CentOS 5 box, likely with a
>> shell of bash.
>
> I am confused by a couple of things:  If I understand you correctly, you
> want the user account to be created locally on the machine, without the
> machine joining AD, but the user account is authenticated by AD credentials.
> The only place I've ever seen anything similar to that was in Apple OD.  A
> "Mobility User" logs in, is authenticated against the OD, but it is in fact
> created as a local user on the machine.

I did not mean to confuse.   My goal is to NOT have to create a local
account on the Linux box - to instead allow a user to log into the
Linux box as though it was a Windows box that is part of the domain -
their login credentials authenticate against a genuine Windows Active
Directory controller, see the user exists, and they are able to log
in.   Samba does have an option to give the user a shell if login is
successful.

Now, I don't care if the Linux box has actually joined the domain - I
only want the ability of the user to successfully be able to
authenticate against it and log in.  Maybe the box will need to be a
member - something I'll learn along the way.

Thanks.

Scott

>
> I think as long as your requirements are inflexible, ... good luck, it may
> be difficult or impossible.  But there are a lot of possibilities as long as
> you're willing to give up at least *one* of your requirements.  The
> preferable choice would be if you have the ability to join the domain.  Then
> there are tons of options, able to auto-create local accounts upon login,
> and so on. ...  I'll try to say more if you express any interest.
>
> Oh, one more thing.
>
> I was very surprised to learn this a year or two ago.  You don't need to be
> a domain administrator to join a machine onto the domain.  I was very
> surprised when one of my unprivileged users joined his laptop to my domain,
> and I was unable to repeat that using my own unprivileged account.  I
> investigated this *extremely* thoroughly, because I thought it represented
> some sort of security breach (like he somehow got the admin pass) but that
> was not the case.  In the end, it was proven, without anybody getting in
> trouble, that unprivileged users can sometimes join computers to domains.
> There are some restrictions, but all the websites had conflicting
> information about what the restrictions are, so I am somewhat unclear in
> that area.
>
>