[Samba] Running off pre-created keytabs

Rowland Penny rpenny at samba.org
Sat Mar 2 18:50:17 UTC 2019


On Sat, 2 Mar 2019 19:28:27 +0100
Michael Ströder <michael at stroeder.com> wrote:

> But with your approach you still copy a credential (the joinuser's
> keytab) on the machine to be joined which has more power than really
> needed.

The only extra power, over and above a normal user, is the permissions
to join a computer to a specific OU gained through being a member of a
group. This user cannot login, the password is unknown.
  
> 
> When pre-creating the computer account you just let the machine
> account use its initial password (like for regular keytab update).
> 
> Or do I overlook something?

Don't know, but I couldn't get your way to work, possibly because the
computer didn't have permission to join a computer in the OU.

Rowland





More information about the samba mailing list