-1

I have a Samba domain controller (also running in a container) and I would like to start a new container and have it become a member of the domain. The normal process for this is to enter the container and run

net ads join -U administrator

and then enter the Administrator password. I have all these steps working fine, but now I want to automate out the password. I really don't want to keep the un-encrypted Administrator password stored on disk; I'd like that to be only known by humans. So, please no solutions where I just echo the password into the command.

I have root access to both containers (running in docker), and I'm sure there's probably some command I could run on the DC to export a ticket and then import that ticket on the new client. I just don't know enough Kerberos to know how to go about doing that.

The server and client are both Samba 4.17.12-Debian on Debian bookworm, configured mostly with the defaults.

I've already fought through the networking details to make these containers appear like VMs on the network, so you could just assume this is the same as if I was asking about real Linux hosts where I had root ssh access to each.

Improve this question
4
  • 1
    Samba has had offline domain join using blobs for a long time, as has Windows using djoin. net offlinejoin provision net offlinejoin requestodj samba.org/samba/docs/current/man-html/net.8.html
    – Greg Askew
    Nov 17 at 22:17
  • @GregAskew So close! The provision command also needs the administrator password though. Looking now for whether there's a generic way to get the DC to auto-authenticate the local root user...
    – M Conrad
    Nov 17 at 22:30
  • You should never need administrator to join a host to a domain.
    – Greg Askew
    Nov 18 at 1:58
  • @GregAskew would you like to elaborate about why? The official Samba guide wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member requires it. And every time I have done it on real windows hosts it prompts for the admin password. Although, in the meantime I did discover that samba-tool does not require a password when run as root. And samba-tool domain exportkeytab might do what I need.
    – M Conrad
    Nov 18 at 6:30

1 Answer 1

Reset to default
0

I would store the password or the secret in an Azure Key Vault and then "link/reference" the secret where the password is stored in the script

Here is an example of how you can fetch a secret from an Azure Key Vault https://gist.github.com/shtratos/6c03ba89b302ff9ca6084d9ade627b79

If you are going to export things from a domain controller, that might expire, and with the key vault you can update the password in the key vault and then it keeps working, instead of having to import things every time when it expires (and you might forget that)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .