[Samba] Admin Privs When Joining Domain

Douglas E. Engert deengert at anl.gov
Tue Sep 14 08:05:34 MDT 2010

On 9/10/2010 9:04 PM, Nicholas Betcher wrote:
> Hello,
> When I attempt to join the domain using YaST (openSUSE's system
> configuration tool) or 'net join DOMAIN,' it prompts me for a network
> admin's username/password. The IT network admin already manually joined the
> machine to the network's AD domain (server-side), but Samba still needs a
> username/password. The workstations are batch-installs and are unattended,
> so we need a way to allow the machine to authenticate users without
> providing the admin password each time.
> So my question is: why does Samba ask for a network username/password even
> though the machine was already manually joined by the network admin to the
> AD domain server? Is there a way to circumvent this while preserving the
> workstation's ability to authenticate network users?

Part of the join is to setup the shared secrets between AD and the machine.
(password on computer account in AD, and a krb5.keytab on the Unix side.)
You said the AD admin did the server side, with the batch-installs
being done at a different time. This would indicate that the install needs
a way of using the same password the admin assigned to the computer account
to create a krb5.keytab or, as it looks like in your situation, the
batch-install want to reset the password and create a matching krb5.keytab file
but this then requires AD admin authority.

> P.S. Yes, I did post about this already - and received no reply - but
> hopefully this email has less erroneous information.
> Thanks!
> Nick Betcher


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the samba mailing list