samba - Mar 2019 - Running off pre-created keytabs

On Fri, 1 Mar 2019 22:00:05 +0100
Michael Ströder via samba <samba at lists.samba.org> wrote:
> Sorry for chiming in so late.
> 
> On 1/11/19 2:48 PM, L.P.H. van Belle via samba wrote:
> >>> On 11 Jan 2019, at 14:25, Rowland Penny via samba 
> >> <samba at lists.samba.org> wrote:
> >>> On Fri, 11 Jan 2019 13:14:16 +0100
> >>> "Remy Zandwijk \(Samba\) via samba" <samba at
lists.samba.org> wrote:
> >>> I think it's a best practice to adhere the least privilege
> >>> principles. 
> >
> > Yes, and for that you need admin rights to setup.
> > 
> >>> If the AD admins pre-create the computer account and give the
> >>> Samba domain member server admin the keytab and machine
password,
> >
> > Again, the need of admin rights. 
> 
> "Admin rights" is an over-simplification here.
> The relevant principle is called separation of duty.
> 
> For adding the computer account and to set the temporary computer
> password you need admin rights in the OU within the domain.
Correct.
> 
> For joining the machine with its computer account you need (temporary)
> administrative access to the machine and the temporary computer
> password.
Couldn't get this to work.
> 
> But it should not be required to enter the password of the OU admin on
> the machine to be joined!
It isn't.
> 
> I think one can do this with msktutil --set-samba-secret for renewing
> host keytab and Samba's secret.tdb.
You need a group with the permissions to join computers set on the OU,
a user who is a member of this group and the users keytab. You only
need standard Unix and Samba tools.
 
> 
> I recently wrote an ansible role with which an OU admin (has TGT on
> ansible controller) pre-creates / resets the computer account and the
> machine is joined with msktutil and temporary computer password in
> one play.
You don't need to precreate the computer, the join with 'net' will
do
it for you.

Rowland
> 
> Ciao, Michael.
>

On 3/1/19 10:17 PM, Rowland Penny via samba wrote:
> You don't need to precreate the computer, the join with 'net'
will do
> it for you.
But then I need to have administrative rights on the OU for the admin
doing the actual join. For security reasons I don't want to enter the OU
admin's password on the machine to be joined.

Maybe I got you wrong though.

Ciao, Michael.

On Sat, 2 Mar 2019 10:25:49 +0100
Michael Ströder <michael at stroeder.com> wrote:
> On 3/1/19 10:17 PM, Rowland Penny via samba wrote:
> > You don't need to precreate the computer, the join with
'net' will
> > do it for you.
> 
> But then I need to have administrative rights on the OU for the admin
> doing the actual join. For security reasons I don't want to enter the
> OU admin's password on the machine to be joined.
> 
> Maybe I got you wrong though.
> 
> Ciao, Michael.
> 
You create a group, set permissions on the OU for the group to join
machines. Create a user (I called the user 'joinuser') with a random
password set to never expire. Export the keytab for this user and copy
it to the machine that you want to join. Then run (on the computer you
want to join:

export KRB5CCNAME="/tmp/joinuser.cc" 
kinit -F -k -t /etc/joinuser.keytab -c "$KRB5CCNAME" joinuser
net ads join --workgroup="$Domain" --server="$DC"
createcomputer="$OU" -k --no-dns-updates

The machine should join without a password.

Rowland