On Thu, 28 Aug 2014, Simo Sorce wrote:
> auth_provider = krb5
> chpass_provider = krb5
> krb5_realm = IPA.EXAMPLE.TEST
> krb5_server = ipa-host.ipa.example.test
Without a keytab validation is not possible, that's not ideal.
Depending on your reason for not joining a machine to the domain, you're free
to share a single kerberos lookup credential via a keytab between multiple
machines, will still gives you the ability to validate.
jh