[Samba] Running off pre-created keytabs
rpenny at samba.org
Thu Jan 10 16:02:42 UTC 2019
On Thu, 10 Jan 2019 16:23:06 +0100
"Osipov, Michael via samba" <samba at lists.samba.org> wrote:
> Hi folks,
> we'd like to provision new Samba servers (file sharing only) with the
> system keytab. It will precreated by some other process (msktutil)
> because we don't have direct access to a domain admin account. Is
> there any degragation in functionality by not using "secrets and
> keytab" and not doing "net ads join"?
> This is somewhat similiar to my question from 2017-11  where I
> wanted to do "net ads join" with precreated accounts, but haven't
> really found a usable solution.
>  https://lists.samba.org/archive/samba/2017-November/211945.html
There is an interesting fact, if you add:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
to smb.conf and then join the domain with:
net ads join -U Administrator (or another user capable of joining
You will get the computers account created in AD and the keytab
created, so why do you feel the need to precreate the machines in AD
and use an extra package to join the domain ?
More information about the samba