Saturday, February 14, 2015

Joining a Linux host to Active Directory unattended



I'm trying to setup a block of hosts using kickstart and there's two commands that need the password to be entered. One is kinit, for that one it's easy to just generate a keytab file and pass it using -t, the other is the net join that gets called indirectly when I execute the authconfig command.




Is there any way to hand the password in either through a credentials file or using a password hash? Obviously I don't want to just pass it as plain text.





@ewwhite Thanks for the link, I'll have a look. I'm not sure of anything, and I'm definitely not opposed to using SSSD for this if it lets me accomplish the exact same thing and it allows for unattended provisioning. My using Samba/Winbind has more to do with my level of comfort for those. Can you suggest how I would go about doing the same thing using SSSD keeping in mind that I don't want to have to input a password manually?



Relevant kickstart content:



cat << EOF > /etc/samba/smb.conf
[global]

   encrypt passwords = yes
   # logs split per machine
   log file = /var/log/samba/log.%m
   # max 50KB per log file, then rotate
   max log size = 50
   passdb backend = tdbsam
EOF

chkconfig smb on
chkconfig nmb on

service smb restart
service nmb restart

cat << EOF > /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = AD.DOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 allow_weak_crypto = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = true

[realms]

 AD.DOMAIN.NET = {
  admin_server = dc01.ad.domain.net
  default_domain = ad.domain.net
  kdc = dc01.ad.domain.net
 }

[domain_realm]
 .ad.domain.net = AD.DOMAIN.NET
 ad.domain.net = AD.DOMAIN.NET
EOF


net time set -S dc01.ad.domain.net

/usr/bin/kinit -k -t addom.keytab Administrator@AD.DOMAIN.NET

authconfig --update \
           --kickstart \
           --enablewinbind \
           --enablewinbindauth \
           --smbsecurity=ads \

           --smbrealm=AD.DOMAIN.NET \
           --winbindjoin=administrator@AD.DOMAIN.NET \
           --winbindtemplatehomedir=/home/DOMAIN/%U \
           --winbindtemplateshell=/bin/bash \
           --enablewinbindusedefaultdomain \
           --enablelocauthorize \
           --smbservers=dc01.ad.domain.net \
           --enablemkhomedir \
           --smbidmaprange=100000-200000


Answer



Turns out the net command has an option to use the kerberos keytab, just had to read the man pages better than I had previously. Here's what worked for me:



on the domain controller



ktpass princ host/test.ad.domain.net@AD.DOMAIN.NET mapuser AD\Administrator -pass * out test.keytab


on the computer doing the join




kinit -k -t /tmp/test.keytab
net ads join -k

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...