On Tue, 2012-10-30 at 01:43 +0100, Jakov Sosic wrote: > Hi. > > > Is it possible somehow to join a Linux machine to a AD Domain without > providing any password on a CLI? > > So far, I've been joining machines purely by: > > # net ads joint -U Administrator%password > > But now, I'm trying to automatize the process through puppet, but don't > know if it's possible somehow to join domain without using administrator > (or any other) password? > > I can ask domain admin to add the machine account by hand.
By some means, we need to securely establish a shared secret between the machine and the DC. You could forward a kerberos ticket to the host, if that's easier to automate and use -k. The old (NT4) style of setting up the account first, which implicitly set the password to machinename, isn't exactly secure, so doesn't help much. (that was what smbpasswd -j used long ago). You can delegate the privilege of joining machines to the domain, which may lessen the impact of the password or kerberos ticket/keytab you forward, but the shared secret needs to be securely set up somehow. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
