5

I'm trying to setup a block of hosts using kickstart and there's two commands that need the password to be entered. One is kinit, for that one it's easy to just generate a keytab file and pass it using -t, the other is the net join that gets called indirectly when I execute the authconfig command.

Is there any way to hand the password in either through a credentials file or using a password hash? Obviously I don't want to just pass it as plain text.


@ewwhite Thanks for the link, I'll have a look. I'm not sure of anything, and I'm definitely not opposed to using SSSD for this if it lets me accomplish the exact same thing and it allows for unattended provisioning. My using Samba/Winbind has more to do with my level of comfort for those. Can you suggest how I would go about doing the same thing using SSSD keeping in mind that I don't want to have to input a password manually?

Relevant kickstart content:

cat << EOF > /etc/samba/smb.conf
[global]
   encrypt passwords = yes
   # logs split per machine
   log file = /var/log/samba/log.%m
   # max 50KB per log file, then rotate
   max log size = 50
   passdb backend = tdbsam
EOF

chkconfig smb on
chkconfig nmb on
service smb restart
service nmb restart

cat << EOF > /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.DOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 allow_weak_crypto = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 rdns = false
 forwardable = true

[realms]
 AD.DOMAIN.NET = {
  admin_server = dc01.ad.domain.net
  default_domain = ad.domain.net
  kdc = dc01.ad.domain.net
 }

[domain_realm]
 .ad.domain.net = AD.DOMAIN.NET
 ad.domain.net = AD.DOMAIN.NET
EOF

net time set -S dc01.ad.domain.net

/usr/bin/kinit -k -t addom.keytab Administrator@AD.DOMAIN.NET

authconfig --update \
           --kickstart \
           --enablewinbind \
           --enablewinbindauth \
           --smbsecurity=ads \
           --smbrealm=AD.DOMAIN.NET \
           --winbindjoin=administrator@AD.DOMAIN.NET \
           --winbindtemplatehomedir=/home/DOMAIN/%U \
           --winbindtemplateshell=/bin/bash \
           --enablewinbindusedefaultdomain \
           --enablelocauthorize \
           --smbservers=dc01.ad.domain.net \
           --enablemkhomedir \
           --smbidmaprange=100000-200000
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Geoff Johnson
  • 115
  • 2
  • 10

2 Answers2

2

Plenty of options... See: Common wisdom about Active Directory authentication for Linux Servers?

With EL6, are you sure you want to go the Samba/Winbind route? These days, a well-crafted authconfig string and an SSSD configuration (/etc/sssd/sssd.conf) file are pretty much all that you need... (Unless you're trying to integrate home directories)

What's in your kickstart now?

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • From what I've read in RedHat documents if you require file sharing services then you can't use SSSD and realmd. Testing has me convinced that that is true. Seems Samba/Winbind is still the way to go, but apparently if you have a valid kerberos ticket you don't have to input a password, that just isn't working for me though. – Geoff Johnson Aug 01 '14 at 16:37
2

Turns out the net command has an option to use the kerberos keytab, just had to read the man pages better than I had previously. Here's what worked for me:

on the domain controller

ktpass princ host/test.ad.domain.net@AD.DOMAIN.NET mapuser AD\Administrator -pass * out test.keytab

on the computer doing the join

kinit -k -t /tmp/test.keytab
net ads join -k
Geoff Johnson
  • 115
  • 2
  • 10