[Samba] NFSv4 / Krb / wildcard in keytab

[mathias dufresne]

First a rectification: Kerberos uses passwords to authenticate objects.
Keytabs are passwords, so using a keytab to authenticate is not removing
the password from authentication process, it's hiding the password into a
crypted file.
Then once this object is authenticated, it gets a Kerberos ticket which
will be used to avoid giving again password (or keytab).

Now to avoid password joining members you could do that on client machine
to join to your domain:
- kinit some user able to join machine to the domain. Using a keytab here
will replace the password. Your user will get a ticket.
- net ads join ad.domain.tld -k

2016-03-31 15:41 GMT+02:00 Sketch <smblist at rednsx.org>:

> On Thu, 31 Mar 2016, Service Informatique IF wrote:
>
> The problem for us is to join computer automatically to Samba : Maybe you
>> have a solution ? (without passwd)
>>
>
> It's not exactly without password, but if you are building your own
> machines via kickstart or similar and just want to automate the join, you
> can do a "net ads join -UAdministrator%password".
>
> In theory you could do this with a kerberos keytab as well, using kinit
> with the keytab file, then a "net join -k" (possibly "-k yes"), as
> described here
> https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
> However, I seem to recall not being able to get "net join -k" to work last
> time I tried.  I'm also not sure that distributing keytabs for
> adminsitrative accounts is any better than using a password.
>
> Or maybe if it's possible, create computer accounts in Samba with
>> samba-tool user add ...  and so, I could create computer keytab directly
>> from Samba.
>>
>
> I suspect this may be possible, but I've never tried it.  You would also
> have to copy the keytab to the appropriate machines after creating them.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>