[Samba] Running off pre-created keytabs

Rowland Penny rpenny at samba.org
Fri Mar 1 21:17:55 UTC 2019

On Fri, 1 Mar 2019 22:00:05 +0100
Michael Ströder via samba <samba at lists.samba.org> wrote:

> Sorry for chiming in so late.
> On 1/11/19 2:48 PM, L.P.H. van Belle via samba wrote:
> >>> On 11 Jan 2019, at 14:25, Rowland Penny via samba 
> >> <samba at lists.samba.org> wrote:
> >>> On Fri, 11 Jan 2019 13:14:16 +0100
> >>> "Remy Zandwijk \(Samba\) via samba" <samba at lists.samba.org> wrote:
> >>> I think it's a best practice to adhere the least privilege
> >>> principles. 
> >
> > Yes, and for that you need admin rights to setup.
> > 
> >>> If the AD admins pre-create the computer account and give the
> >>> Samba domain member server admin the keytab and machine password, 
> >
> > Again, the need of admin rights. 
> "Admin rights" is an over-simplification here.
> The relevant principle is called separation of duty.
> For adding the computer account and to set the temporary computer
> password you need admin rights in the OU within the domain.


> For joining the machine with its computer account you need (temporary)
> administrative access to the machine and the temporary computer
> password.

Couldn't get this to work.

> But it should not be required to enter the password of the OU admin on
> the machine to be joined!

It isn't.

> I think one can do this with msktutil --set-samba-secret for renewing
> host keytab and Samba's secret.tdb.

You need a group with the permissions to join computers set on the OU,
a user who is a member of this group and the users keytab. You only
need standard Unix and Samba tools.
> I recently wrote an ansible role with which an OU admin (has TGT on
> ansible controller) pre-creates / resets the computer account and the
> machine is joined with msktutil and temporary computer password in
> one play.

You don't need to precreate the computer, the join with 'net' will do
it for you.


> Ciao, Michael.

More information about the samba mailing list