Samba AD: Create keytab for computer without net ads join?

Question

Gist: I have set up a samba as AD DC. I'd like to export a keytab for SPNs for a computer account only without having the computer to run samba itself, or issue net ads join. Running samba-tool domain exportkeytab gives me no keys for the SPNs, and I believe its because there is not machine password. How can I fix that?

Long version: I have set up a Samba as full-features AD primary domain controller. User authentication works, DNS works, etc., so I'm fairly sure that the server itself is ok. In addition, there are already two machines joined to the domain and their keytab works, so the server is probably not at fault, but PEBKAC.

Now I have a FreeBSD-running Squid cache and I'd like to set up Kerberos authentication for the proxy. I don't want to run Samba on this machine - there is no reason for it. So I thought that creating a computer account, setting SPNs and exporting the keytab might work, but it didn't.

Specifically, I run samba-tool computer add PROXYMACHINE --ip-address=172.19.9.22 --ip-address=dead:beef:cafe::22 --service-principal-name='host/proxymachine.example.com' --service-principal-name='HTTP/proxymachine.example.com'. Everything works fine; running samba-tool computer show PROXYMACHINE gives me the full info.

However, running samba-tool domain exportkeytab complete.keytab does not give me any keys for the SPNs of the machine. The filter conditions also don't work. samba-tool tells me "Export two principals to krb5.keytab," but the file does not even exist (even though samba-tool exits with RC 0).

The difference between the joined computers and this one is that there is not password. So I believe that this might be the culprit. But I don't know how to set a machine password, and I can't verify that this actually is the problem - it might be something else.

So, bottomline: What do I need to do to (1) manage a computer as "inventory item" (computer account), (2) associate SPNs with it, and (3) export those to a kerberos keytab? Or is my approach perhaps wrong entirely?

Answer 1

A computer password is set by joining a domain. Computers manage their accounts, and they can even be subject to policies. However, an AD server usually does not enforce policies in the same way as it would with a user account. E.g., should the machine fail to change its password, it wouldn't be excluded from the domain.

With regards to the question, research & trial and error in VMs led to the following solution candidates:

1. Simply use winbindd. That means installing the samba suite, configuring the samba daemon, and issuing net ads join -k. It seems to be the traditional way employed by almost all tutorials on the net. Pros: A kerberberos keytab and user lookup.
2. Use sssd, specifically, the sssd-ad module. sssd can also join domains through its AD provider. sssd will then use kerberos (for authentication) + LDAP (for user lookup/authorization).
3. In case you don't need user lookup (as with the original Squid problem), msktutil might be for you. It creates user accounts and transfers keytabs, but it does not provide a daemon for user lookup.

Choosing between 1/2 and 3 was easy wrt. to the original question: I chose (3), because I did not need to look up user information. But if one needs user information lookups, the choice between 1 and 2 did not seem obvious. Redhat advocates sssd (cf. https://www.redhat.com/en/blog/overview-direct-integration-options, SSSD vs. Winbind), arguing that sssd is more stable and probably faster. I have been bitten more than once by winbindd simply dying on me on network failures, so I can relate to that, but I do not have any hard evidence.