[Samba] Running off pre-created keytabs

Michael Ströder michael at stroeder.com
Sat Mar 2 18:28:27 UTC 2019

On 3/2/19 1:30 PM, Rowland Penny via samba wrote:
> On Sat, 2 Mar 2019 10:25:49 +0100
> Michael Ströder <michael at stroeder.com> wrote:
>> On 3/1/19 10:17 PM, Rowland Penny via samba wrote:
>>> You don't need to precreate the computer, the join with 'net' will
>>> do it for you.
>> But then I need to have administrative rights on the OU for the admin
>> doing the actual join. For security reasons I don't want to enter the
>> OU admin's password on the machine to be joined.
>> Maybe I got you wrong though.
> You create a group, set permissions on the OU for the group to join
> machines. Create a user (I called the user 'joinuser') with a random
> password set to never expire. Export the keytab for this user and copy
> it to the machine that you want to join. Then run (on the computer you
> want to join:
> export KRB5CCNAME="/tmp/joinuser.cc" 
> kinit -F -k -t /etc/joinuser.keytab -c "$KRB5CCNAME" joinuser
> net ads join --workgroup="$Domain" --server="$DC" createcomputer="$OU" -k --no-dns-updates
> The machine should join without a password.

But with your approach you still copy a credential (the joinuser's
keytab) on the machine to be joined which has more power than really needed.

When pre-creating the computer account you just let the machine account
use its initial password (like for regular keytab update).

Or do I overlook something?

Ciao, Michael.

More information about the samba mailing list