[Samba] Running off pre-created keytabs

Rowland Penny rpenny at samba.org
Thu Jan 10 16:02:42 UTC 2019

On Thu, 10 Jan 2019 16:23:06 +0100
"Osipov, Michael via samba" <samba at lists.samba.org> wrote:

> Hi folks,
> we'd like to provision new Samba servers (file sharing only) with the 
> system keytab. It will precreated by some other process (msktutil) 
> because we don't have direct access to a domain admin account. Is
> there any degragation in functionality by not using "secrets and
> keytab" and not doing "net ads join"?
> This is somewhat similiar to my question from 2017-11 [1] where I
> wanted to do "net ads join" with precreated accounts, but haven't
> really found a usable solution.
> Michael
> [1] https://lists.samba.org/archive/samba/2017-November/211945.html

There is an interesting fact, if you add:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

to smb.conf and then join the domain with:

net ads join -U Administrator (or another user capable of joining

You will get the computers account created in AD and the keytab
created, so why do you feel the need to precreate the machines in AD
and use an extra package to join the domain ?


More information about the samba mailing list