Joining a Linux host to Active Directory unattended

linux active-directory samba

I'm trying to setup a block of hosts using kickstart and there's two commands that need the password to be entered. One is kinit, for that one it's easy to just generate a keytab file and pass it using -t, the other is the net join that gets called indirectly when I execute the authconfig command.

Is there any way to hand the password in either through a credentials file or using a password hash? Obviously I don't want to just pass it as plain text.

@ewwhite Thanks for the link, I'll have a look. I'm not sure of anything, and I'm definitely not opposed to using SSSD for this if it lets me accomplish the exact same thing and it allows for unattended provisioning. My using Samba/Winbind has more to do with my level of comfort for those. Can you suggest how I would go about doing the same thing using SSSD keeping in mind that I don't want to have to input a password manually?

Relevant kickstart content:

cat << EOF > /etc/samba/smb.conf
[global]
   encrypt passwords = yes
   # logs split per machine
   log file = /var/log/samba/log.%m
   # max 50KB per log file, then rotate
   max log size = 50
   passdb backend = tdbsam
EOF

chkconfig smb on
chkconfig nmb on
service smb restart
service nmb restart

cat << EOF > /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.DOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 allow_weak_crypto = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = true

[realms]
 AD.DOMAIN.NET = {
  admin_server = dc01.ad.domain.net
  default_domain = ad.domain.net
  kdc = dc01.ad.domain.net
 }

[domain_realm]
 .ad.domain.net = AD.DOMAIN.NET
 ad.domain.net = AD.DOMAIN.NET
EOF

net time set -S dc01.ad.domain.net

/usr/bin/kinit -k -t addom.keytab [email protected]

authconfig --update \
           --kickstart \
           --enablewinbind \
           --enablewinbindauth \
           --smbsecurity=ads \
           --smbrealm=AD.DOMAIN.NET \
           [email protected] \
           --winbindtemplatehomedir=/home/DOMAIN/%U \
           --winbindtemplateshell=/bin/bash \
           --enablewinbindusedefaultdomain \
           --enablelocauthorize \
           --smbservers=dc01.ad.domain.net \
           --enablemkhomedir \
           --smbidmaprange=100000-200000

Solution 1:

Plenty of options... See: Common wisdom about Active Directory authentication for Linux Servers?

With EL6, are you sure you want to go the Samba/Winbind route? These days, a well-crafted authconfig string and an SSSD configuration (/etc/sssd/sssd.conf) file are pretty much all that you need... (Unless you're trying to integrate home directories)

What's in your kickstart now?

Solution 2:

Turns out the net command has an option to use the kerberos keytab, just had to read the man pages better than I had previously. Here's what worked for me:

on the domain controller

ktpass princ host/[email protected] mapuser AD\Administrator -pass * out test.keytab

on the computer doing the join

kinit -k -t /tmp/test.keytab
net ads join -k

Related

VMware FT, App HA: What happens if vCenter Server is offline?
Best way to secure Kickstart encrypted partition passwords
Can I force a Windows Server 2008 DNS Conditional Forwarder to use TCP Only?
every minute - possible SYN flooding on port 80
How to reload environment variables file in a running Docker container
Will a SSD storage perform like a magnetic for small root volumes in AWS EC2?
Virtualising a VERY legacy app
Load Balancing RDS (in AWS)
How to correctly configure DNS usage in Ubuntu? Authoritative answers without RA flag are ignored
What is the best method to change the server used for folder redirection?
How to log ssh client connection/command?
Remote automated provisioning to a XenServer Hypervisor