samba - Oct 2012 - Joining domain without password?

Hi.


Is it possible somehow to join a Linux machine to a AD Domain without 
providing any password on a CLI?

So far, I've been joining machines purely by:

  # net ads joint -U Administrator%password

But now, I'm trying to automatize the process through puppet, but don't 
know if it's possible somehow to join domain without using administrator 
(or any other) password?

I can ask domain admin to add the machine account by hand.



I'm currently using Samba 3.5.x on RHEL 5 (samba3x rpms) and RHEL 6 
(samba rpms).



-- 
Jakov Sosic
www.srce.unizg.hr

On Tue, 2012-10-30 at 01:43 +0100, Jakov Sosic wrote:
> Hi.
> 
> 
> Is it possible somehow to join a Linux machine to a AD Domain without 
> providing any password on a CLI?
> 
> So far, I've been joining machines purely by:
> 
>   # net ads joint -U Administrator%password
> 
> But now, I'm trying to automatize the process through puppet, but
don't
> know if it's possible somehow to join domain without using
administrator
> (or any other) password?
> 
> I can ask domain admin to add the machine account by hand.
By some means, we need to securely establish a shared secret between the
machine and the DC.  

You could forward a kerberos ticket to the host, if that's easier to
automate and use -k.

The old (NT4) style of setting up the account first, which implicitly
set the password to machinename, isn't exactly secure, so doesn't help
much.  (that was what smbpasswd -j used long ago).

You can delegate the privilege of joining machines to the domain, which
may lessen the impact of the password or kerberos ticket/keytab you
forward, but the shared secret needs to be securely set up somehow. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org