[Samba] Running off pre-created keytabs
Osipov, Michael
michael.osipov at siemens.com
Fri Jan 11 08:39:35 UTC 2019
Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:
> On Thu, 10 Jan 2019 16:23:06 +0100
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> we'd like to provision new Samba servers (file sharing only) with the
>> system keytab. It will precreated by some other process (msktutil)
>> because we don't have direct access to a domain admin account. Is
>> there any degragation in functionality by not using "secrets and
>> keytab" and not doing "net ads join"?
>>
>> This is somewhat similiar to my question from 2017-11 [1] where I
>> wanted to do "net ads join" with precreated accounts, but haven't
>> really found a usable solution.
>>
>> Michael
>>
>>
>> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
>>
>
> There is an interesting fact, if you add:
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> to smb.conf and then join the domain with:
>
> net ads join -U Administrator (or another user capable of joining
> machines)
>
> You will get the computers account created in AD and the keytab
> created, so why do you feel the need to precreate the machines in AD
> and use an extra package to join the domain ?
As depicted, this still requires an admin to be present at the box. I
have to constantly beg people with that kind of permission to do a
session with us to kinit and then join servers or create SPNs which do
not match the FQDN. If the account can be precreated one can do this
asynchronously and I'd remove the dependency on relying on specific people.
While it sounds for you trivial to have an admin account, in our huge
new forest (Siemens and MS claim it to be the largest one on the planet)
it is very strict about permissions after severe incident in the last
forest. It took us weeks to find someone who is willing to join our
servers once in a while. I guess this can be/is the case in many large
companies. Morover, I will request a server which shall precreate
machine accounts. This will make us independent from humans, but Samba
won't play well with that. At last, if the colleague is on sick leave or
else and we have to reset the account for whatsoever reason, we are bust!
Regards,
Michael
More information about the samba
mailing list