[Samba] Running off pre-created keytabs

Osipov, Michael michael.osipov at siemens.com
Fri Jan 11 08:39:35 UTC 2019

Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:
> On Thu, 10 Jan 2019 16:23:06 +0100
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>> Hi folks,
>> we'd like to provision new Samba servers (file sharing only) with the
>> system keytab. It will precreated by some other process (msktutil)
>> because we don't have direct access to a domain admin account. Is
>> there any degragation in functionality by not using "secrets and
>> keytab" and not doing "net ads join"?
>> This is somewhat similiar to my question from 2017-11 [1] where I
>> wanted to do "net ads join" with precreated accounts, but haven't
>> really found a usable solution.
>> Michael
>> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
> There is an interesting fact, if you add:
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> to smb.conf and then join the domain with:
> net ads join -U Administrator (or another user capable of joining
> machines)
> You will get the computers account created in AD and the keytab
> created, so why do you feel the need to precreate the machines in AD
> and use an extra package to join the domain ?

As depicted, this still requires an admin to be present at the box. I 
have to constantly beg people with that kind of permission to do a 
session with us to kinit and then join servers or create SPNs which do 
not match the FQDN. If the account can be precreated one can do this 
asynchronously and I'd remove the dependency on relying on specific people.

While it sounds for you trivial to have an admin account, in our huge 
new forest (Siemens and MS claim it to be the largest one on the planet) 
it is very strict about permissions after severe incident in the last 
forest. It took us weeks to find someone who is willing to join our 
servers once in a while. I guess this can be/is the case in many large 
companies. Morover, I will request a server which shall precreate 
machine accounts. This will make us independent from humans, but Samba 
won't play well with that. At last, if the colleague is on sick leave or 
else and we have to reset the account for whatsoever reason, we are bust!



More information about the samba mailing list