Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Joining domain without password?
24 views
Skip to first unread message
Jakov Sosic
Oct 29, 2012, 9:40:02 PM10/29/12
to
Hi.
Is it possible somehow to join a Linux machine to a AD Domain without
providing any password on a CLI?
So far, I've been joining machines purely by:
# net ads joint -U Administrator%password
But now, I'm trying to automatize the process through puppet, but don't
know if it's possible somehow to join domain without using administrator
(or any other) password?
I can ask domain admin to add the machine account by hand.
I'm currently using Samba 3.5.x on RHEL 5 (samba3x rpms) and RHEL 6
(samba rpms).
--
Jakov Sosic
www.srce.unizg.hr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Is it possible somehow to join a Linux machine to a AD Domain without
providing any password on a CLI?
So far, I've been joining machines purely by:
# net ads joint -U Administrator%password
But now, I'm trying to automatize the process through puppet, but don't
know if it's possible somehow to join domain without using administrator
(or any other) password?
I can ask domain admin to add the machine account by hand.
I'm currently using Samba 3.5.x on RHEL 5 (samba3x rpms) and RHEL 6
(samba rpms).
--
Jakov Sosic
www.srce.unizg.hr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
Oct 30, 2012, 2:00:01 AM10/30/12
to
On Tue, 2012-10-30 at 01:43 +0100, Jakov Sosic wrote:
> Hi.
>
>
> Is it possible somehow to join a Linux machine to a AD Domain without
> providing any password on a CLI?
>
> So far, I've been joining machines purely by:
>
> # net ads joint -U Administrator%password
>
> But now, I'm trying to automatize the process through puppet, but don't
> know if it's possible somehow to join domain without using administrator
> (or any other) password?
>
> I can ask domain admin to add the machine account by hand.
By some means, we need to securely establish a shared secret between the
> Hi.
>
>
> Is it possible somehow to join a Linux machine to a AD Domain without
> providing any password on a CLI?
>
> So far, I've been joining machines purely by:
>
> # net ads joint -U Administrator%password
>
> But now, I'm trying to automatize the process through puppet, but don't
> know if it's possible somehow to join domain without using administrator
> (or any other) password?
>
> I can ask domain admin to add the machine account by hand.
machine and the DC.
You could forward a kerberos ticket to the host, if that's easier to
automate and use -k.
The old (NT4) style of setting up the account first, which implicitly
set the password to machinename, isn't exactly secure, so doesn't help
much. (that was what smbpasswd -j used long ago).
You can delegate the privilege of joining machines to the domain, which
may lessen the impact of the password or kerberos ticket/keytab you
forward, but the shared secret needs to be securely set up somehow.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Jakov Sosic
Nov 1, 2012, 9:30:02 PM11/1/12
to
On 10/30/2012 06:53 AM, Andrew Bartlett wrote:
> By some means, we need to securely establish a shared secret between the
> machine and the DC.
>
> You could forward a kerberos ticket to the host, if that's easier to
> automate and use -k.
>
> The old (NT4) style of setting up the account first, which implicitly
> set the password to machinename, isn't exactly secure, so doesn't help
> much. (that was what smbpasswd -j used long ago).
>
> You can delegate the privilege of joining machines to the domain, which
> may lessen the impact of the password or kerberos ticket/keytab you
> forward, but the shared secret needs to be securely set up somehow.
I've decided to create user with sole privilege of joining machines to
> By some means, we need to securely establish a shared secret between the
> machine and the DC.
>
> You could forward a kerberos ticket to the host, if that's easier to
> automate and use -k.
>
> The old (NT4) style of setting up the account first, which implicitly
> set the password to machinename, isn't exactly secure, so doesn't help
> much. (that was what smbpasswd -j used long ago).
>
> You can delegate the privilege of joining machines to the domain, which
> may lessen the impact of the password or kerberos ticket/keytab you
> forward, but the shared secret needs to be securely set up somehow.
domain, and automation works OK.
Thank you.
--
Jakov Sosic
www.srce.unizg.hr
0 new messages