[Samba] Running off pre-created keytabs

Denis Cardon dcardon at tranquil.it
Tue Mar 5 19:16:49 UTC 2019

Hi Michael,

Le 01/10/2019 à 04:23 PM, Osipov, Michael via samba a écrit :
> Hi folks,
> we'd like to provision new Samba servers (file sharing only) with the
> system keytab. It will precreated by some other process (msktutil)
> because we don't have direct access to a domain admin account. Is there
> any degragation in functionality by not using "secrets and keytab" and
> not doing "net ads join"?
> This is somewhat similiar to my question from 2017-11 [1] where I wanted
> to do "net ads join" with precreated accounts, but haven't really found
> a usable solution.

I think you ought to take a look at the work of Philipp Gesang [1]. I 
think it is currently the closest thing you'll have to a djoin.exe 
compatible client (and it looks quite promising!). There is still some 
work on going and I'd also be very happy to have such a thing working. I 
think you should get in touch with him on this subject! I  myself was to 
busy to follow on that subject...

Even in smaller network with a few thousand computers, rights delegation 
quickly become an issue in security focused context. And in many cases 
it may even be easier for automatic provisioning.



PS : you said in one of your mail that Siemens had the largest forest 
according to MS. May I ask, just for my knowledge, what is the order of 
magnitude of such a forest in term of workstation.

[1] https://lists.samba.org/archive/samba-technical/2019-January/131924.html

> Michael
> [1] https://lists.samba.org/archive/samba/2017-November/211945.html

Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list