[Samba] Running off pre-created keytabs
Remy Zandwijk (Samba)
remy+samba at luckyhands.nl
Fri Jan 11 11:03:30 UTC 2019
> On 11 Jan 2019, at 10:33, Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Fri, 11 Jan 2019 09:39:35 +0100
> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>
>> Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:
>>> On Thu, 10 Jan 2019 16:23:06 +0100
>>> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> we'd like to provision new Samba servers (file sharing only) with
>>>> the system keytab. It will precreated by some other process
>>>> (msktutil) because we don't have direct access to a domain admin
>>>> account. Is there any degragation in functionality by not using
>>>> "secrets and keytab" and not doing "net ads join"?
>>>>
>>>> This is somewhat similiar to my question from 2017-11 [1] where I
>>>> wanted to do "net ads join" with precreated accounts, but haven't
>>>> really found a usable solution.
>>>>
>>>> Michael
>>>>
>>>>
>>>> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
>>>>
>>>
>>> There is an interesting fact, if you add:
>>>
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> to smb.conf and then join the domain with:
>>>
>>> net ads join -U Administrator (or another user capable of joining
>>> machines)
>>>
>>> You will get the computers account created in AD and the keytab
>>> created, so why do you feel the need to precreate the machines in AD
>>> and use an extra package to join the domain ?
>>
>> As depicted, this still requires an admin to be present at the box. I
>> have to constantly beg people with that kind of permission to do a
>> session with us to kinit and then join servers or create SPNs which
>> do not match the FQDN. If the account can be precreated one can do
>> this asynchronously and I'd remove the dependency on relying on
>> specific people.
>>
>> While it sounds for you trivial to have an admin account, in our huge
>> new forest (Siemens and MS claim it to be the largest one on the
>> planet) it is very strict about permissions after severe incident in
>> the last forest. It took us weeks to find someone who is willing to
>> join our servers once in a while. I guess this can be/is the case in
>> many large companies. Morover, I will request a server which shall
>> precreate machine accounts. This will make us independent from
>> humans, but Samba won't play well with that. At last, if the
>> colleague is on sick leave or else and we have to reset the account
>> for whatsoever reason, we are bust!
>>
>> Regards,
>>
>> Michael
>>
>
> I am with Louis here, this definitely says more about your company than
> you or Samba. To put it bluntly, it appears that they do not trust you,
> otherwise they would have given you delegated powers to join computers.
Another use case is joining a machine to a domain of which only the read-only domain controllers are reachable (in a DMZ, for example).
In the university I work at, Windows servers in the DMZ are joined to the domain by pre-creating the machine account and running a script (as local admin) on the server. If Windows can do that, why not Samba?
-Remy
More information about the samba
mailing list