I'm not a Windows person at all, but I understand the basic idea that an Active Directory is LDAP + Kerberos 5 + microsoft special sauce. So, in a situation where I have a windows machine over which I have no control which is in an existing Active Directory Domain, is it possible to have a person on this machine explicitly acquire a Kerberos ticket for a foreign realm and then get resources on the Linux server that I have control over which is in a Kerberos/LDAP realm that I control?
Specifically, suppose I have in my realm a user "[email protected]", and this user logs into a random windows machine in "BAR.COM" which is a microsoft AD realm using username "baz". Now, they want to grab files off a share on my machine quux.myrealm.com via Samba or NFSv4 or access a web page that requires Kerberos auth, and they need to do it as [email protected] instead of [email protected] which is the identity they used to login to windows.
the Linux/Unix/MIT Kerberos way would be to "kinit [email protected]" and then go for it. Is there an equivalent on windows? Is there an equivalent that doesn't require installing anything unusual (ie. MIT Kerberos for Windows).
Cross-realm trust is not an option here, because I doubt the existing AD administrators will put the appropriate TGT entries even for one-way authentication, and besides, I don't have any desire to trust this domain.