[Samba] Joining domain without password?
Jakov Sosic
jsosic at srce.hr
Wed Oct 31 10:29:34 MDT 2012
On 10/30/2012 06:53 AM, Andrew Bartlett wrote:
> By some means, we need to securely establish a shared secret between the
> machine and the DC.
>
> You could forward a kerberos ticket to the host, if that's easier to
> automate and use -k.
>
> The old (NT4) style of setting up the account first, which implicitly
> set the password to machinename, isn't exactly secure, so doesn't help
> much. (that was what smbpasswd -j used long ago).
>
> You can delegate the privilege of joining machines to the domain, which
> may lessen the impact of the password or kerberos ticket/keytab you
> forward, but the shared secret needs to be securely set up somehow.
I've decided to create user with sole privilege of joining machines to
domain, and automation works OK.
Thank you.
--
Jakov Sosic
www.srce.unizg.hr
More information about the samba
mailing list