I am using realmd
to join an active directory domain, and I am successful when using the command:
sudo realm join -U user@domain.com domain.com
It prompts me for the password, and it works.
I am now trying to automate the process. I'd like to run the above command (or some variation of it) without being prompted for a password.
I tried creating a Kerberos keytab. I ran the kinit
command, and I can see the user using klist
.
Useful data from klist
:
Default principal: user@domain.com
Service principal: krbtgt/domain.com@domain.com
I ran the command sudo realm join
expecting it to read the keytab, but I get the following:
$ sudo realm join
Password for Administrator:
I get prompted for a password for Administrator, which is not my user. Based on the sources I found online, it should not prompt me for a password if kerberos has been set up. I feel like realmd
is not even reading the initialized user. Do you have an idea how I can fix this? Is there something else I should do at the level of kerberos or realmd configurations?
Admin credentials are only used in order to create a computer account. So instead of distributing your domain admin credentials to each machine (which is risky), use adcli
on your local system to pre-create those machine accounts – which allows you to join using --one-time-password
or --no-password
.
If you really want to use a keytab, however, remember that Kerberos ticket caches are generally per-user, and the whole point of sudo is to switch to a different user. So it is not enough for klist
to work; you also need sudo klist
to work – which will likely need a KRB5CCNAME=
to be specified so that klist/realm could find your ccache while running under a different UID.
sudo KRB5CCNAME=FILE:/tmp/krb5cc_1234 klist
sudo KRB5CCNAME=FILE:/tmp/krb5cc_1234 realm join
The default cache location is shown in your klist
. If your OS defaults to a "KEYRING" cache, you'll first need to manually switch to a file-based one, as keyring caches cannot be used across UIDs.
export KRB5CCNAME=FILE:/tmp/krb5cc_admin
kinit -k -t admin.keytab
sudo KRB5CCNAME="$KRB5CCNAME" klist