RHEL7 - Active directory authentication without joining domain

Latest response


I'm trying to find some documentation for having ssh users to authenticate through Microsoft Active Directory without having to join the machine to the domain.

Is this even possible?

Thank you.


Is it possible? yes. Is it easy? No, unless you are very familiar with Kerberos, LDAP, SSSD, and PAM.

Fundamentally, an Active Directory Domain is just a Kerberos Realm with an attached LDAP directory. You can configure your system to use Kerberos for authentication, pointing to one or more AD domain controllers as the KDCs, and specifying the domain (AD.EXAMPLE.COM) as the realm. In sssd.conf, you would have a custom 'domain' set to use krb5 for the authentication provider, and LDAP for access control (or "simple", which I think lets in anybody who passes authentication; you may want to filter access further via PAM and /etc/security/access.conf). The only tricky bit might be generating valid UID numbers, if your AD does not contain valid entries in the POSIX fields (uidNumber, gidNumber, etc.).