Hi all.
I'm looking for the best way to automate the realm join command. Ideally I'd achieve that in kickstart or at first login. I've been considering some kind of shell script, but it seems that it will work only when password is in plain text, which I want to to avoid if possible.
Thanks for any suggestions
Service account with only ‘Join Computers to Domain’ privilege. Then generate a keytab and use that to get your Kerberos ticket for joining. Kickstart could ‘curl’ the file from a secure location and you can clean the keytab up after the join.
From: Zdravko Zdravkov nirayah@gmail.com Sent: Tuesday, July 9, 2019 1:39 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] How to automate realm join command?
EXTERNAL MAIL: sssd-users-bounces@lists.fedorahosted.orgmailto:sssd-users-bounces@lists.fedorahosted.org Hi all. I'm looking for the best way to automate the realm join command. Ideally I'd achieve that in kickstart or at first login. I've been considering some kind of shell script, but it seems that it will work only when password is in plain text, which I want to to avoid if possible.
Thanks for any suggestions
What I do is hang a kerberos keytab file on a (company-internal) web server. A kerberos keytab file that has the kerberos credentials for my service account -- the service account that has privileges to create machine accounts under my OU.
In this script called during the kickstart, I first wget this keytab file to /tmp. Then I kinit as that user principal using that keytab file. Finally I can then use realm join or adcli.
I admit -- this is not great security. It's probably only slightly better than embedding the clear text password in the script. But it accomplishes two things for me:
1. Allows me to get around cybersecurity's edict of "no clear text passwords" in any text file (including scripts). 2. Allows me to trivially change this service account's password yearly.
For #2, I just generate a new keytab file with the new password for this service principal. And hang it off the web server, in the usual place.
This service account has very few AD privileges, outside of creating machine accounts in this specific OU. So this level of security doesn't bother me.
It's just slightly more complicated than I describe; for instance, in RHEL8 in the initial kickstart (before the first reboot) -- not all the usual Kerberos cache stores are available. You have to use KRB5CCNAME to dumb down the Kerberos credientials caching slightly. But this technique works.
Spike
On Tue, Jul 9, 2019 at 4:34 AM Zdravko Zdravkov nirayah@gmail.com wrote:
Hi all.
I'm looking for the best way to automate the realm join command. Ideally I'd achieve that in kickstart or at first login. I've been considering some kind of shell script, but it seems that it will work only when password is in plain text, which I want to to avoid if possible.
Thanks for any suggestions _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jul 09, 2019 at 11:38:51AM +0300, Zdravko Zdravkov wrote:
Hi all.
I'm looking for the best way to automate the realm join command. Ideally I'd achieve that in kickstart or at first login. I've been considering some kind of shell script, but it seems that it will work only when password is in plain text, which I want to to avoid if possible.
Hi,
maybe the steps from https://web.archive.org/web/20160629035304/http://stef.thewalter.net/how-to-... might help.
bye, Sumit
Thanks for any suggestions
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Jay McCanta -
Spike White -
Sumit Bose -
Zdravko Zdravkov