Do Linux servers using AD/Kerberos for authentication/authorization need computer accounts?

Solution 1:

There are two different considerations here:
1) authentication (password validation)
2) authorization (identity mapping/group memberships, etc)

For clients:
You can do authentication (password checking) via Kerberos from an anonymous client (no domain-join/host-creds). However you lose the ability to do GSSAPI SSO and KDC validation with out host-creds (/etc/krb5.keytab).

For authorization you need to be able to do LDAP binds/lookups to the AD-DCs. In general AD does not allow anonymous LDAP binds, so you need some kind of client side credentials. Either an explicitly created & maintained service account OR host-creds (created/maintained by domain join).

In your ldap.conf or sssd.conf files you can list explicit service account creds or tell it to use the host-creds. If you have host-creds and use the 'ad' id_provider in sssd you gain advantages such as automatic host-cred maintenance.

Note that if you want to use AD for your authorization service you'll need to add rfc2307 style info (EG uidNumber, gidNumber, etc) to every user account that you want to use on the Unix/Linux clients.

For servers:
If they're going to provide any Kerberized/GSSAPI based services, then they -must- have host-creds (be domain joined) and have valid UPN/SPN records in the computer account in AD. Think of AD as providing the Kerberos KDC functionality.

For example:
If you have a Kerberized NFSv4 fileserver, there needs to be not only a "host/F.Q.D.N" SPN there needs to be a "nfs/F.Q.D.N" SPN in the account & in the krb5.keytab file on the server.

Solution 2:

With SSSD it depends on the configuration. With id_provider=ad yes, you need to join the domain with realmd. But if you don't want to join the domain, there's nothing preventing you from using id_provider=ldap. Even ID mapping would work, if you configure the SID yourself.