[Samba] Running off pre-created keytabs
Denis Cardon
dcardon at tranquil.it
Tue Mar 5 19:16:49 UTC 2019
Hi Michael,
Le 01/10/2019 à 04:23 PM, Osipov, Michael via samba a écrit :
> Hi folks,
>
> we'd like to provision new Samba servers (file sharing only) with the
> system keytab. It will precreated by some other process (msktutil)
> because we don't have direct access to a domain admin account. Is there
> any degragation in functionality by not using "secrets and keytab" and
> not doing "net ads join"?
>
> This is somewhat similiar to my question from 2017-11 [1] where I wanted
> to do "net ads join" with precreated accounts, but haven't really found
> a usable solution.
I think you ought to take a look at the work of Philipp Gesang [1]. I
think it is currently the closest thing you'll have to a djoin.exe
compatible client (and it looks quite promising!). There is still some
work on going and I'd also be very happy to have such a thing working. I
think you should get in touch with him on this subject! I myself was to
busy to follow on that subject...
Even in smaller network with a few thousand computers, rights delegation
quickly become an issue in security focused context. And in many cases
it may even be easier for automatic provisioning.
Cheers,
Denis
PS : you said in one of your mail that Siemens had the largest forest
according to MS. May I ask, just for my knowledge, what is the order of
magnitude of such a forest in term of workstation.
[1] https://lists.samba.org/archive/samba-technical/2019-January/131924.html
>
> Michael
>
>
> [1] https://lists.samba.org/archive/samba/2017-November/211945.html
>
--
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list