[Samba] Running off pre-created keytabs

Rowland Penny rpenny at samba.org
Sat Mar 2 12:30:08 UTC 2019

On Sat, 2 Mar 2019 10:25:49 +0100
Michael Ströder <michael at stroeder.com> wrote:

> On 3/1/19 10:17 PM, Rowland Penny via samba wrote:
> > You don't need to precreate the computer, the join with 'net' will
> > do it for you.
> But then I need to have administrative rights on the OU for the admin
> doing the actual join. For security reasons I don't want to enter the
> OU admin's password on the machine to be joined.
> Maybe I got you wrong though.
> Ciao, Michael.

You create a group, set permissions on the OU for the group to join
machines. Create a user (I called the user 'joinuser') with a random
password set to never expire. Export the keytab for this user and copy
it to the machine that you want to join. Then run (on the computer you
want to join:

export KRB5CCNAME="/tmp/joinuser.cc" 
kinit -F -k -t /etc/joinuser.keytab -c "$KRB5CCNAME" joinuser
net ads join --workgroup="$Domain" --server="$DC" createcomputer="$OU" -k --no-dns-updates

The machine should join without a password.


More information about the samba mailing list