1

We use Puppet to configure our servers, but creating Kerberos keytabs for them is currently a manual process. We would like the Kerberos keytabs of the Unix machines to be automatically generated, when the machine is first bootstrapped.

The various tutorials (such as this) out there explain, how a keytab can be obtained by the new machine itself -- but this requires Samba and other tools, which we'd like to avoid installing.

Can an existing Unix machine request a keytab for another Unix machine from the AD-server? How? Do we have to code (perhaps, using Samba4's Python API -- poorly documented at the moment), or can this be achieved with the existing tools?

Community
  • 1
Mikhail T.
  • 2,272
  • 1
  • 22
  • 49

2 Answers2

1

Ok, first of all, thanks to @Jason-Walker for the pointer at kclient -- a typical Sun's implementation (functional but ugly) in ksh with helper-utilites implemented in C. Apparently, joining a domain consists of creating the host's entry via standard LDAP -- Sun's script uses ldapsearch, ldapmodify, and ldapadd from the OpenLDAP.

Once the host is registered by the script (contrary to @Jason-Walker's assessment, this can be done from any host in the domain), it invokes the ksetpw helper utility to generate the keytab. I even almost finished porting it all to Linux and BSD, when I came about adcli, which already does exactly, what we need and is available as an RPM. I even created a FreeBSD-port of the utility (with Heimdal-support), out of sheer gratitude.

And there was much rejoicing.

Mikhail T.
  • 2,272
  • 1
  • 22
  • 49
0

There won't be any transparent way of doing this. The host keytab represents a copy of the host secret - a password that is known only to the Kerberos servers (Active Directory Domain Controllers) and the client. Under normal circumstances, the keytab is created when the client is joined to the Domain (at which time the user authenticates to the Domain and creates a new secret for the workstation). Once joined, the machine (by default) updates the secret every 30 days.

The Samba client can generate a keytab, but it does this by authenticating the user account using the 'net join' command. The authenticating user's password is used to create the initial host secret.

Other programs that can "join the domain" from the Linux client, and create an initial secret (and matching keytab file) include Dell Authentication Services (formerly Quest Authentication Services, formerly Vintela Authentication Services, and still mostly known as 'vas'); LikeWise; and Centrify.

To perform the initial join, the client will need to authenticate to the Domain using a domain account authorized to create computer objects, join workstations to the domain, or reset computer account passwords for existing domain members. The user account might be authenticated using a password, or using an existing user keytab file.

The reference implementation, MIT Kerberos, can create keytab files, but as far as I recall cannot create a new computer account on the Domain.

Edit: If your distribution contains 'kclient', that should do what you want; you do still have to embed a credential into your join script to authenticate to the Domain initially. See https://docs.oracle.com/cd/E36784_01/html/E36871/kclient-1m.html and

Jason Walker
  • 27
  • 4
  • We can authenticate with a special keytab -- can the Samba's "net join" be run from a _different_ host, however? Thanks! – Mikhail T. Jun 10 '16 at 04:39
  • Joining from a different host would probably be more trouble than it's worth. If a fake host performs the join, you would have to reconfigure the samba.conf and set 'netbios name = ' to the name of the machine you want to join, then transport the secrets from fake machine to the machine you wanted joined. If you're moving secrets, might as well embed a password to perform the samba join on the real machine. – Jason Walker Jun 11 '16 at 02:55
  • Ok, I found the `kclient`-script and accompanying utilities in [OpenSolaris distribution](https://github.com/illumos/illumos-gate/tree/5a4ef21a18dfdc65328821a265582d03e85a97c9/usr/src/cmd/krb5/kadmin) and made a partial port to Linux. How would you run it on one machine to generate a keytab for another? We'd like to do that to avoid installing Samba et. al on every machine. – Mikhail T. Jun 11 '16 at 02:55