[Samba] Running off pre-created keytabs

Rowland Penny rpenny at samba.org
Thu Jan 10 16:02:42 UTC 2019


On Thu, 10 Jan 2019 16:23:06 +0100
"Osipov, Michael via samba" <samba at lists.samba.org> wrote:

> Hi folks,
> 
> we'd like to provision new Samba servers (file sharing only) with the 
> system keytab. It will precreated by some other process (msktutil) 
> because we don't have direct access to a domain admin account. Is
> there any degragation in functionality by not using "secrets and
> keytab" and not doing "net ads join"?
> 
> This is somewhat similiar to my question from 2017-11 [1] where I
> wanted to do "net ads join" with precreated accounts, but haven't
> really found a usable solution.
> 
> Michael
> 
> 
> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
> 

There is an interesting fact, if you add:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

to smb.conf and then join the domain with:

net ads join -U Administrator (or another user capable of joining
machines)

You will get the computers account created in AD and the keytab
created, so why do you feel the need to precreate the machines in AD
and use an extra package to join the domain ?

Rowland
 



More information about the samba mailing list