[Samba] Admin Privs When Joining Domain
Douglas E. Engert
deengert at anl.gov
Tue Sep 14 08:05:34 MDT 2010
On 9/10/2010 9:04 PM, Nicholas Betcher wrote:
> When I attempt to join the domain using YaST (openSUSE's system
> configuration tool) or 'net join DOMAIN,' it prompts me for a network
> admin's username/password. The IT network admin already manually joined the
> machine to the network's AD domain (server-side), but Samba still needs a
> username/password. The workstations are batch-installs and are unattended,
> so we need a way to allow the machine to authenticate users without
> providing the admin password each time.
> So my question is: why does Samba ask for a network username/password even
> though the machine was already manually joined by the network admin to the
> AD domain server? Is there a way to circumvent this while preserving the
> workstation's ability to authenticate network users?
Part of the join is to setup the shared secrets between AD and the machine.
(password on computer account in AD, and a krb5.keytab on the Unix side.)
You said the AD admin did the server side, with the batch-installs
being done at a different time. This would indicate that the install needs
a way of using the same password the admin assigned to the computer account
to create a krb5.keytab or, as it looks like in your situation, the
batch-install want to reset the password and create a matching krb5.keytab file
but this then requires AD admin authority.
> P.S. Yes, I did post about this already - and received no reply - but
> hopefully this email has less erroneous information.
> Nick Betcher
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the samba