[Samba] Joining domain without password?
abartlet at samba.org
Mon Oct 29 23:53:31 MDT 2012
On Tue, 2012-10-30 at 01:43 +0100, Jakov Sosic wrote:
> Is it possible somehow to join a Linux machine to a AD Domain without
> providing any password on a CLI?
> So far, I've been joining machines purely by:
> # net ads joint -U Administrator%password
> But now, I'm trying to automatize the process through puppet, but don't
> know if it's possible somehow to join domain without using administrator
> (or any other) password?
> I can ask domain admin to add the machine account by hand.
By some means, we need to securely establish a shared secret between the
machine and the DC.
You could forward a kerberos ticket to the host, if that's easier to
automate and use -k.
The old (NT4) style of setting up the account first, which implicitly
set the password to machinename, isn't exactly secure, so doesn't help
much. (that was what smbpasswd -j used long ago).
You can delegate the privilege of joining machines to the domain, which
may lessen the impact of the password or kerberos ticket/keytab you
forward, but the shared secret needs to be securely set up somehow.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba