[Samba] Running off pre-created keytabs

Remy Zandwijk (Samba) remy+samba at luckyhands.nl
Fri Jan 11 12:14:16 UTC 2019 


> On 11 Jan 2019, at 12:34, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Fri, 11 Jan 2019 12:03:30 +0100
> "Remy Zandwijk \(Samba\) via samba" <samba at lists.samba.org> wrote:
> 
>> 
>> 
>>> On 11 Jan 2019, at 10:33, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>> 
>>> On Fri, 11 Jan 2019 09:39:35 +0100
>>> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>>> 
>>>> Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:
>>>>> On Thu, 10 Jan 2019 16:23:06 +0100
>>>>> "Osipov, Michael via samba" <samba at lists.samba.org> wrote:
>>>>> 
>>>>>> Hi folks,
>>>>>> 
>>>>>> we'd like to provision new Samba servers (file sharing only) with
>>>>>> the system keytab. It will precreated by some other process
>>>>>> (msktutil) because we don't have direct access to a domain admin
>>>>>> account. Is there any degragation in functionality by not using
>>>>>> "secrets and keytab" and not doing "net ads join"?
>>>>>> 
>>>>>> This is somewhat similiar to my question from 2017-11 [1] where I
>>>>>> wanted to do "net ads join" with precreated accounts, but haven't
>>>>>> really found a usable solution.
>>>>>> 
>>>>>> Michael
>>>>>> 
>>>>>> 
>>>>>> [1]
>>>>>> https://lists.samba.org/archive/samba/2017-November/211945.html
>>>>>> 
>>>>> 
>>>>> There is an interesting fact, if you add:
>>>>> 
>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>   kerberos method = secrets and keytab
>>>>> 
>>>>> to smb.conf and then join the domain with:
>>>>> 
>>>>> net ads join -U Administrator (or another user capable of joining
>>>>> machines)
>>>>> 
>>>>> You will get the computers account created in AD and the keytab
>>>>> created, so why do you feel the need to precreate the machines in
>>>>> AD and use an extra package to join the domain ?
>>>> 
>>>> As depicted, this still requires an admin to be present at the
>>>> box. I have to constantly beg people with that kind of permission
>>>> to do a session with us to kinit and then join servers or create
>>>> SPNs which do not match the FQDN. If the account can be precreated
>>>> one can do this asynchronously and I'd remove the dependency on
>>>> relying on specific people.
>>>> 
>>>> While it sounds for you trivial to have an admin account, in our
>>>> huge new forest (Siemens and MS claim it to be the largest one on
>>>> the planet) it is very strict about permissions after severe
>>>> incident in the last forest. It took us weeks to find someone who
>>>> is willing to join our servers once in a while. I guess this can
>>>> be/is the case in many large companies. Morover, I will request a
>>>> server which shall precreate machine accounts. This will make us
>>>> independent from humans, but Samba won't play well with that. At
>>>> last, if the colleague is on sick leave or else and we have to
>>>> reset the account for whatsoever reason, we are bust!
>>>> 
>>>> Regards,
>>>> 
>>>> Michael
>>>> 
>>> 
>>> I am with Louis here, this definitely says more about your company
>>> than you or Samba. To put it bluntly, it appears that they do not
>>> trust you, otherwise they would have given you delegated powers to
>>> join computers.
>> 
>> Another use case is joining a machine to a domain of which only the
>> read-only domain controllers are reachable (in a DMZ, for example).
>> 
>> In the university I work at, Windows servers in the DMZ are joined to
>> the domain by pre-creating the machine account and running a script
>> (as local admin) on the server. If Windows can do that, why not Samba?
>> 
> 
> It probably can, 'samba-tool computer create <computername>' will
> precreate the computer in AD, so all that should be needed is the
> script, anybody got an example script ?

The script which is being used on the Windows server to-be-joined is provided for by Microsoft:
http://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx#sample_script_RODC_join <http://technet.microsoft.com/en-us/library/dd728035(v=ws.10).aspx#sample_script_RODC_join>

Before running the script, a registry key needs to be added:
reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v SiteName /t REG_SZ /d Default-First-Site-Name-Perimeter

Then run the script like:
cscript JoinScript.vbs /domain YOURDOMAIN /machinepassword "THE_PASSWORD" /dc RODC_FQDN /readonly


I spend a lot of time trying to join a Samba domain member server to an Windows read-only AD, but I couldn't get it to work. My impression is that Samba is not playing very well with site perimeters, but I cannot recall the details.


Personally, I do not agree at all with the statement that not being allowed to join machines to the domain is a matter of lack of trust within the company. I think it's a best practice to adhere the least privilege principles. If the AD admins pre-create the computer account and give the Samba domain member server admin the keytab and machine password, it should be just about enough to be able to join the particular machine and only the particular machine (if only it would work with Samba). 


-Remy

More information about the samba mailing list