[Samba] Running off pre-created keytabs

Remy Zandwijk (Samba) remy+samba at luckyhands.nl
Fri Jan 11 11:03:30 UTC 2019 


> On 11 Jan 2019, at 10:33, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Fri, 11 Jan 2019 09:39:35 +0100
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
> 
>> Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:
>>> On Thu, 10 Jan 2019 16:23:06 +0100
>>> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>>> 
>>>> Hi folks,
>>>> 
>>>> we'd like to provision new Samba servers (file sharing only) with
>>>> the system keytab. It will precreated by some other process
>>>> (msktutil) because we don't have direct access to a domain admin
>>>> account. Is there any degragation in functionality by not using
>>>> "secrets and keytab" and not doing "net ads join"?
>>>> 
>>>> This is somewhat similiar to my question from 2017-11 [1] where I
>>>> wanted to do "net ads join" with precreated accounts, but haven't
>>>> really found a usable solution.
>>>> 
>>>> Michael
>>>> 
>>>> 
>>>> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
>>>> 
>>> 
>>> There is an interesting fact, if you add:
>>> 
>>>    dedicated keytab file = /etc/krb5.keytab
>>>    kerberos method = secrets and keytab
>>> 
>>> to smb.conf and then join the domain with:
>>> 
>>> net ads join -U Administrator (or another user capable of joining
>>> machines)
>>> 
>>> You will get the computers account created in AD and the keytab
>>> created, so why do you feel the need to precreate the machines in AD
>>> and use an extra package to join the domain ?
>> 
>> As depicted, this still requires an admin to be present at the box. I 
>> have to constantly beg people with that kind of permission to do a 
>> session with us to kinit and then join servers or create SPNs which
>> do not match the FQDN. If the account can be precreated one can do
>> this asynchronously and I'd remove the dependency on relying on
>> specific people.
>> 
>> While it sounds for you trivial to have an admin account, in our huge 
>> new forest (Siemens and MS claim it to be the largest one on the
>> planet) it is very strict about permissions after severe incident in
>> the last forest. It took us weeks to find someone who is willing to
>> join our servers once in a while. I guess this can be/is the case in
>> many large companies. Morover, I will request a server which shall
>> precreate machine accounts. This will make us independent from
>> humans, but Samba won't play well with that. At last, if the
>> colleague is on sick leave or else and we have to reset the account
>> for whatsoever reason, we are bust!
>> 
>> Regards,
>> 
>> Michael
>> 
> 
> I am with Louis here, this definitely says more about your company than
> you or Samba. To put it bluntly, it appears that they do not trust you,
> otherwise they would have given you delegated powers to join computers.

Another use case is joining a machine to a domain of which only the read-only domain controllers are reachable (in a DMZ, for example).

In the university I work at, Windows servers in the DMZ are joined to the domain by pre-creating the machine account and running a script (as local admin) on the server. If Windows can do that, why not Samba?

-Remy

More information about the samba mailing list