[Samba] Running off pre-created keytabs

Michael Ströder michael at stroeder.com
Fri Mar 1 21:00:05 UTC 2019

Sorry for chiming in so late.

On 1/11/19 2:48 PM, L.P.H. van Belle via samba wrote:
>>> On 11 Jan 2019, at 14:25, Rowland Penny via samba 
>> <samba at lists.samba.org> wrote:
>>> On Fri, 11 Jan 2019 13:14:16 +0100
>>> "Remy Zandwijk \(Samba\) via samba" <samba at lists.samba.org> wrote:
>>> I think it's a best practice to adhere the least privilege principles. 
> Yes, and for that you need admin rights to setup.
>>> If the AD admins pre-create the computer account and give the Samba 
>>> domain member server admin the keytab and machine password, 
> Again, the need of admin rights. 

"Admin rights" is an over-simplification here.
The relevant principle is called separation of duty.

For adding the computer account and to set the temporary computer
password you need admin rights in the OU within the domain.

For joining the machine with its computer account you need (temporary)
administrative access to the machine and the temporary computer password.

But it should not be required to enter the password of the OU admin on
the machine to be joined!

I think one can do this with msktutil --set-samba-secret for renewing
host keytab and Samba's secret.tdb.

I recently wrote an ansible role with which an OU admin (has TGT on
ansible controller) pre-creates / resets the computer account and the
machine is joined with msktutil and temporary computer password in one play.

Ciao, Michael.

More information about the samba mailing list