[Samba] LDAP + Keytab without requiring administrator logins

Rowland penny rpenny at samba.org
Wed Feb 3 19:23:20 UTC 2021

On 03/02/2021 18:57, Christian Kuntz wrote:
> Thanks for your responses and all the information.
> From what I'm reading, I should replace what I'm doing with sssd with 
> winbind. Thanks for the clarification and I'll get started on that!
> To return to my original question; is it possible to initialize the 
> secrets.tdb (I believe it stores the keytab required to join the 
> domain by what we have discussed) in a way that allows the machine to 
> join an LDAP domain without providing it with full credentials 
> (User/Pass)?

Well, no and yes. No as in I don't know a way to access secrets.tdb to 
automatically join a domain, yes as in you need a keytab that holds the 
required keys.

About two years ago I played with this concept and actually got it to 
work on a test VM.

It is a bit more involved than you think. The way I did it was to create 
an AD group for users who would be allowed to join machines and then 
created a user to do the join (as a test), added this user to the join 
group and then exported a keytab for this user.

You then copy the keytab to the machine that will become a Unix domain 
member (on which Samba is setup correctly) and then you can use kerberos 
to join the domain.

Which will not work, not unless you have added a few ACE's to the OU 
that will hold the computer AD object.


More information about the samba mailing list