CentOS magic to Active Directory login?
Edward Ned Harvey
blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org
Thu Feb 18 20:28:23 EST 2010
> I've been trying to follow samba, centos, ldap, and other
> documentation to try and get a CentOS 5 box to permit a user to log
> into an existing Windows 200x Active Directory domain without
> necessarily having the box as part of the domain. If it has to be
> part of the domain, that is fine. The user shall have no local
> account on the box - I want their active directory account to
> automatically produce their account on the CentOS 5 box, likely with a
> shell of bash.
I am confused by a couple of things: If I understand you correctly, you
want the user account to be created locally on the machine, without the
machine joining AD, but the user account is authenticated by AD credentials.
The only place I've ever seen anything similar to that was in Apple OD. A
"Mobility User" logs in, is authenticated against the OD, but it is in fact
created as a local user on the machine.
I think as long as your requirements are inflexible, ... good luck, it may
be difficult or impossible. But there are a lot of possibilities as long as
you're willing to give up at least *one* of your requirements. The
preferable choice would be if you have the ability to join the domain. Then
there are tons of options, able to auto-create local accounts upon login,
and so on. ... I'll try to say more if you express any interest.
Oh, one more thing.
I was very surprised to learn this a year or two ago. You don't need to be
a domain administrator to join a machine onto the domain. I was very
surprised when one of my unprivileged users joined his laptop to my domain,
and I was unable to repeat that using my own unprivileged account. I
investigated this *extremely* thoroughly, because I thought it represented
some sort of security breach (like he somehow got the admin pass) but that
was not the case. In the end, it was proven, without anybody getting in
trouble, that unprivileged users can sometimes join computers to domains.
There are some restrictions, but all the websites had conflicting
information about what the restrictions are, so I am somewhat unclear in
that area.
More information about the Discuss
mailing list