[Samba] Running off pre-created keytabs
Rowland Penny
rpenny at samba.org
Sat Mar 2 18:50:17 UTC 2019
On Sat, 2 Mar 2019 19:28:27 +0100
Michael Ströder <michael at stroeder.com> wrote:
> But with your approach you still copy a credential (the joinuser's
> keytab) on the machine to be joined which has more power than really
> needed.
The only extra power, over and above a normal user, is the permissions
to join a computer to a specific OU gained through being a member of a
group. This user cannot login, the password is unknown.
>
> When pre-creating the computer account you just let the machine
> account use its initial password (like for regular keytab update).
>
> Or do I overlook something?
Don't know, but I couldn't get your way to work, possibly because the
computer didn't have permission to join a computer in the OU.
Rowland
More information about the samba
mailing list