[Samba] LDAP + Keytab without requiring administrator logins
rpenny at samba.org
Wed Feb 3 19:23:20 UTC 2021
On 03/02/2021 18:57, Christian Kuntz wrote:
> Thanks for your responses and all the information.
> From what I'm reading, I should replace what I'm doing with sssd with
> winbind. Thanks for the clarification and I'll get started on that!
> To return to my original question; is it possible to initialize the
> secrets.tdb (I believe it stores the keytab required to join the
> domain by what we have discussed) in a way that allows the machine to
> join an LDAP domain without providing it with full credentials
Well, no and yes. No as in I don't know a way to access secrets.tdb to
automatically join a domain, yes as in you need a keytab that holds the
About two years ago I played with this concept and actually got it to
work on a test VM.
It is a bit more involved than you think. The way I did it was to create
an AD group for users who would be allowed to join machines and then
created a user to do the join (as a test), added this user to the join
group and then exported a keytab for this user.
You then copy the keytab to the machine that will become a Unix domain
member (on which Samba is setup correctly) and then you can use kerberos
to join the domain.
Which will not work, not unless you have added a few ACE's to the OU
that will hold the computer AD object.
More information about the samba