On Sat, 2 Mar 2019 10:25:49 +0100 Michael Ströder <michael at stroeder.com> wrote:> On 3/1/19 10:17 PM, Rowland Penny via samba wrote: > > You don't need to precreate the computer, the join with 'net' will > > do it for you. > > But then I need to have administrative rights on the OU for the admin > doing the actual join. For security reasons I don't want to enter the > OU admin's password on the machine to be joined. > > Maybe I got you wrong though. > > Ciao, Michael. >You create a group, set permissions on the OU for the group to join machines. Create a user (I called the user 'joinuser') with a random password set to never expire. Export the keytab for this user and copy it to the machine that you want to join. Then run (on the computer you want to join: export KRB5CCNAME="/tmp/joinuser.cc" kinit -F -k -t /etc/joinuser.keytab -c "$KRB5CCNAME" joinuser net ads join --workgroup="$Domain" --server="$DC" createcomputer="$OU" -k --no-dns-updates The machine should join without a password. Rowland
On 3/2/19 1:30 PM, Rowland Penny via samba wrote:> On Sat, 2 Mar 2019 10:25:49 +0100 > Michael Ströder <michael at stroeder.com> wrote: > >> On 3/1/19 10:17 PM, Rowland Penny via samba wrote: >>> You don't need to precreate the computer, the join with 'net' will >>> do it for you. >> >> But then I need to have administrative rights on the OU for the admin >> doing the actual join. For security reasons I don't want to enter the >> OU admin's password on the machine to be joined. >> >> Maybe I got you wrong though. > > You create a group, set permissions on the OU for the group to join > machines. Create a user (I called the user 'joinuser') with a random > password set to never expire. Export the keytab for this user and copy > it to the machine that you want to join. Then run (on the computer you > want to join: > > export KRB5CCNAME="/tmp/joinuser.cc" > kinit -F -k -t /etc/joinuser.keytab -c "$KRB5CCNAME" joinuser > net ads join --workgroup="$Domain" --server="$DC" createcomputer="$OU" -k --no-dns-updates > > The machine should join without a password.But with your approach you still copy a credential (the joinuser's keytab) on the machine to be joined which has more power than really needed. When pre-creating the computer account you just let the machine account use its initial password (like for regular keytab update). Or do I overlook something? Ciao, Michael.
On Sat, 2 Mar 2019 19:28:27 +0100 Michael Ströder <michael at stroeder.com> wrote:> But with your approach you still copy a credential (the joinuser's > keytab) on the machine to be joined which has more power than really > needed.The only extra power, over and above a normal user, is the permissions to join a computer to a specific OU gained through being a member of a group. This user cannot login, the password is unknown.> > When pre-creating the computer account you just let the machine > account use its initial password (like for regular keytab update). > > Or do I overlook something?Don't know, but I couldn't get your way to work, possibly because the computer didn't have permission to join a computer in the OU. Rowland