Joining a Linux host to Active Directory unattended
I'm trying to setup a block of hosts using kickstart and there's two commands that need the password to be entered. One is kinit, for that one it's easy to just generate a keytab file and pass it using -t, the other is the net join that gets called indirectly when I execute the authconfig command.
Is there any way to hand the password in either through a credentials file or using a password hash? Obviously I don't want to just pass it as plain text.
@ewwhite Thanks for the link, I'll have a look. I'm not sure of anything, and I'm definitely not opposed to using SSSD for this if it lets me accomplish the exact same thing and it allows for unattended provisioning. My using Samba/Winbind has more to do with my level of comfort for those. Can you suggest how I would go about doing the same thing using SSSD keeping in mind that I don't want to have to input a password manually?
Relevant kickstart content:
cat << EOF > /etc/samba/smb.conf
[global]
encrypt passwords = yes
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
passdb backend = tdbsam
EOF
chkconfig smb on
chkconfig nmb on
service smb restart
service nmb restart
cat << EOF > /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.DOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
[realms]
AD.DOMAIN.NET = {
admin_server = dc01.ad.domain.net
default_domain = ad.domain.net
kdc = dc01.ad.domain.net
}
[domain_realm]
.ad.domain.net = AD.DOMAIN.NET
ad.domain.net = AD.DOMAIN.NET
EOF
net time set -S dc01.ad.domain.net
/usr/bin/kinit -k -t addom.keytab [email protected]
authconfig --update \
--kickstart \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbrealm=AD.DOMAIN.NET \
[email protected] \
--winbindtemplatehomedir=/home/DOMAIN/%U \
--winbindtemplateshell=/bin/bash \
--enablewinbindusedefaultdomain \
--enablelocauthorize \
--smbservers=dc01.ad.domain.net \
--enablemkhomedir \
--smbidmaprange=100000-200000
Solution 1:
Plenty of options... See: Common wisdom about Active Directory authentication for Linux Servers?
With EL6, are you sure you want to go the Samba/Winbind route? These days, a well-crafted authconfig
string and an SSSD configuration (/etc/sssd/sssd.conf
) file are pretty much all that you need... (Unless you're trying to integrate home directories)
What's in your kickstart now?
Solution 2:
Turns out the net command has an option to use the kerberos keytab, just had to read the man pages better than I had previously. Here's what worked for me:
on the domain controller
ktpass princ host/[email protected] mapuser AD\Administrator -pass * out test.keytab
on the computer doing the join
kinit -k -t /tmp/test.keytab
net ads join -k