active-directoryldapkerberos

Automate joining Active Directory (AD) using Kerberos keytab?

I am using realmd to join an active directory domain, and I am successful when using the command:

sudo realm join -U user@domain.com domain.com

It prompts me for the password, and it works.

I am now trying to automate the process. I'd like to run the above command (or some variation of it) without being prompted for a password.

I tried creating a Kerberos keytab. I ran the kinit command, and I can see the user using klist. Useful data from klist:

Default principal: user@domain.com
Service principal: krbtgt/domain.com@domain.com

I ran the command sudo realm join expecting it to read the keytab, but I get the following:

$ sudo realm join
Password for Administrator:

I get prompted for a password for Administrator, which is not my user. Based on the sources I found online, it should not prompt me for a password if kerberos has been set up. I feel like realmd is not even reading the initialized user. Do you have an idea how I can fix this? Is there something else I should do at the level of kerberos or realmd configurations?

Solution

  • Admin credentials are only used in order to create a computer account. So instead of distributing your domain admin credentials to each machine (which is risky), use adcli on your local system to pre-create those machine accounts – which allows you to join using --one-time-password or --no-password.

    If you really want to use a keytab, however, remember that Kerberos ticket caches are generally per-user, and the whole point of sudo is to switch to a different user. So it is not enough for klist to work; you also need sudo klist to work – which will likely need a KRB5CCNAME= to be specified so that klist/realm could find your ccache while running under a different UID.

    sudo KRB5CCNAME=FILE:/tmp/krb5cc_1234 klist
sudo KRB5CCNAME=FILE:/tmp/krb5cc_1234 realm join

    The default cache location is shown in your klist. If your OS defaults to a "KEYRING" cache, you'll first need to manually switch to a file-based one, as keyring caches cannot be used across UIDs.

    export KRB5CCNAME=FILE:/tmp/krb5cc_admin
kinit -k -t admin.keytab
sudo KRB5CCNAME="$KRB5CCNAME" klist