How to automate kinit process to obtain TGT for Kerberos?

I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos.

Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit. If this were to be done manually, I would do this:

kinit [email protected]

This prompts for the AD user password, hence there is a problem with automate this.

How can I automate this? I've found some posts mentioning using kadmin to create a database with the AD users password in it, but I've had no luck.

While you can just hard-code the password into your automation, the more correct Kerberos way to do this is to create a keytab for the principal and then use that to authenticate. kinit supports authenticating from a keytab using the -k -t <keytab-path> options.

The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you don't have to add code to read a password from a separate file). It can also be created with standard commands (with an AD KDC, use ktpass). There are some more advantages if you had a Linux KDC, such as easily randomizing keys stored in the keytab rather than using a weaker password.

Stupid me, you can simply use following command:

echo "password" | kinit aduser@REALM

According to the man-page you might use:

kinit --password-file="~/my.secret" [email protected]

So you just might provide your password via a file.