[Samba] Joining domain without password?

Andrew Bartlett abartlet at samba.org
Mon Oct 29 23:53:31 MDT 2012

On Tue, 2012-10-30 at 01:43 +0100, Jakov Sosic wrote:
> Hi.
> Is it possible somehow to join a Linux machine to a AD Domain without 
> providing any password on a CLI?
> So far, I've been joining machines purely by:
>   # net ads joint -U Administrator%password
> But now, I'm trying to automatize the process through puppet, but don't 
> know if it's possible somehow to join domain without using administrator 
> (or any other) password?
> I can ask domain admin to add the machine account by hand.

By some means, we need to securely establish a shared secret between the
machine and the DC.  

You could forward a kerberos ticket to the host, if that's easier to
automate and use -k.

The old (NT4) style of setting up the account first, which implicitly
set the password to machinename, isn't exactly secure, so doesn't help
much.  (that was what smbpasswd -j used long ago).

You can delegate the privilege of joining machines to the domain, which
may lessen the impact of the password or kerberos ticket/keytab you
forward, but the shared secret needs to be securely set up somehow. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list