Hi folks, we'd like to provision new Samba servers (file sharing only) with the system keytab. It will precreated by some other process (msktutil) because we don't have direct access to a domain admin account. Is there any degragation in functionality by not using "secrets and keytab" and not doing "net ads join"? This is somewhat similiar to my question from 2017-11 [1] where I wanted to do "net ads join" with precreated accounts, but haven't really found a usable solution. Michael [1] https://lists.samba.org/archive/samba/2017-November/211945.html
Hai, And you are not looking for this? https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_Domain Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Osipov, Michael via samba > Verzonden: donderdag 10 januari 2019 16:23 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Running off pre-created keytabs > > Hi folks, > > we'd like to provision new Samba servers (file sharing only) with the > system keytab. It will precreated by some other process (msktutil) > because we don't have direct access to a domain admin > account. Is there > any degragation in functionality by not using "secrets and > keytab" and > not doing "net ads join"? > > This is somewhat similiar to my question from 2017-11 [1] > where I wanted > to do "net ads join" with precreated accounts, but haven't > really found > a usable solution. > > Michael > > > [1] https://lists.samba.org/archive/samba/2017-November/211945.html > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 10 Jan 2019 16:23:06 +0100 "Osipov, Michael via samba" <samba at lists.samba.org> wrote:> Hi folks, > > we'd like to provision new Samba servers (file sharing only) with the > system keytab. It will precreated by some other process (msktutil) > because we don't have direct access to a domain admin account. Is > there any degragation in functionality by not using "secrets and > keytab" and not doing "net ads join"? > > This is somewhat similiar to my question from 2017-11 [1] where I > wanted to do "net ads join" with precreated accounts, but haven't > really found a usable solution. > > Michael > > > [1] https://lists.samba.org/archive/samba/2017-November/211945.html >There is an interesting fact, if you add: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab to smb.conf and then join the domain with: net ads join -U Administrator (or another user capable of joining machines) You will get the computers account created in AD and the keytab created, so why do you feel the need to precreate the machines in AD and use an extra package to join the domain ? Rowland
Am 2019-01-10 um 17:02 schrieb Rowland Penny via samba:> On Thu, 10 Jan 2019 16:23:06 +0100 > "Osipov, Michael via samba" <samba at lists.samba.org> wrote: > >> Hi folks, >> >> we'd like to provision new Samba servers (file sharing only) with the >> system keytab. It will precreated by some other process (msktutil) >> because we don't have direct access to a domain admin account. Is >> there any degragation in functionality by not using "secrets and >> keytab" and not doing "net ads join"? >> >> This is somewhat similiar to my question from 2017-11 [1] where I >> wanted to do "net ads join" with precreated accounts, but haven't >> really found a usable solution. >> >> Michael >> >> >> [1] https://lists.samba.org/archive/samba/2017-November/211945.html >> > > There is an interesting fact, if you add: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > to smb.conf and then join the domain with: > > net ads join -U Administrator (or another user capable of joining > machines) > > You will get the computers account created in AD and the keytab > created, so why do you feel the need to precreate the machines in AD > and use an extra package to join the domain ?As depicted, this still requires an admin to be present at the box. I have to constantly beg people with that kind of permission to do a session with us to kinit and then join servers or create SPNs which do not match the FQDN. If the account can be precreated one can do this asynchronously and I'd remove the dependency on relying on specific people. While it sounds for you trivial to have an admin account, in our huge new forest (Siemens and MS claim it to be the largest one on the planet) it is very strict about permissions after severe incident in the last forest. It took us weeks to find someone who is willing to join our servers once in a while. I guess this can be/is the case in many large companies. Morover, I will request a server which shall precreate machine accounts. This will make us independent from humans, but Samba won't play well with that. At last, if the colleague is on sick leave or else and we have to reset the account for whatsoever reason, we are bust! Regards, Michael
Am 2019-01-10 um 17:02 schrieb L.P.H. van Belle via samba:> Hai, > > And you are not looking for this? > https://wiki.samba.org/index.php/Delegation/Joining_Machines_to_a_DomainThat would be charming, but the company is too big that someone would easily grant me that permission. I will enquire with that. Thanks!>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Osipov, Michael via samba >> Verzonden: donderdag 10 januari 2019 16:23 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Running off pre-created keytabs >> >> Hi folks, >> >> we'd like to provision new Samba servers (file sharing only) with the >> system keytab. It will precreated by some other process (msktutil) >> because we don't have direct access to a domain admin >> account. Is there >> any degragation in functionality by not using "secrets and >> keytab" and >> not doing "net ads join"? >> >> This is somewhat similiar to my question from 2017-11 [1] >> where I wanted >> to do "net ads join" with precreated accounts, but haven't >> really found >> a usable solution. >> >> Michael >> >> >> [1] https://lists.samba.org/archive/samba/2017-November/211945.html >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Osipov, Michael via samba > Verzonden: vrijdag 11 januari 2019 9:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Running off pre-created keytabs > > > > Am 2019-01-10 um 17:02 schrieb L.P.H. van Belle via samba: > > Hai, > > > > And you are not looking for this? > > > https://wiki.samba.org/index.php/Delegation/Joining_Machines_t > o_a_Domain > > That would be charming, but the company is too big that someone would > easily grant me that permission. I will enquire with that. >If the company is too big and nobody is granting that permission. Then it is saying more about the company ( or you, try not to be offending here) then samba. I'll blaim the company.. ;-) And in responce of.> While it sounds for you trivial to have an admin account, in our huge > new forest (Siemens and MS claim it to be the largest one on > the planet) > it is very strict about permissions after severe incident in the last > forest. It took us weeks to find someone who is willing to join our > servers once in a while. I guess this can be/is the case in > many large > companies. Morover, I will request a server which shall precreate > machine accounts. This will make us independent from humans, > but Samba > won't play well with that. At last, if the colleague is on > sick leave or > else and we have to reset the account for whatsoever reason, > we are bust!Yes, but that a company policy problem and not a samba problem. Also you must understand that in my optinion this is normal a procedure. Because else it would be very easy to put a compromizing machine in to the domain. So my best advice, ask for the delegation as shown in the links, if you dont get these and you dont have any other admin rights. Then you are (a 6 letter word here... ).. Greetz, Louis
Hi Michael, Le 01/10/2019 à 04:23 PM, Osipov, Michael via samba a écrit :> Hi folks, > > we'd like to provision new Samba servers (file sharing only) with the > system keytab. It will precreated by some other process (msktutil) > because we don't have direct access to a domain admin account. Is there > any degragation in functionality by not using "secrets and keytab" and > not doing "net ads join"? > > This is somewhat similiar to my question from 2017-11 [1] where I wanted > to do "net ads join" with precreated accounts, but haven't really found > a usable solution.I think you ought to take a look at the work of Philipp Gesang [1]. I think it is currently the closest thing you'll have to a djoin.exe compatible client (and it looks quite promising!). There is still some work on going and I'd also be very happy to have such a thing working. I think you should get in touch with him on this subject! I myself was to busy to follow on that subject... Even in smaller network with a few thousand computers, rights delegation quickly become an issue in security focused context. And in many cases it may even be easier for automatic provisioning. Cheers, Denis PS : you said in one of your mail that Siemens had the largest forest according to MS. May I ask, just for my knowledge, what is the order of magnitude of such a forest in term of workstation. [1] https://lists.samba.org/archive/samba-technical/2019-January/131924.html> > Michael > > > [1] https://lists.samba.org/archive/samba/2017-November/211945.html >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint Sébastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr