On 10/30/2012 06:53 AM, Andrew Bartlett wrote:
By some means, we need to securely establish a shared secret between the
machine and the DC.
You could forward a kerberos ticket to the host, if that's easier to
automate and use -k.
The old (NT4) style of setting up the account first, which implicitly
set the password to machinename, isn't exactly secure, so doesn't help
much. (that was what smbpasswd -j used long ago).
You can delegate the privilege of joining machines to the domain, which
may lessen the impact of the password or kerberos ticket/keytab you
forward, but the shared secret needs to be securely set up somehow.
I've decided to create user with sole privilege of joining machines to
domain, and automation works OK.
Thank you.
--
Jakov Sosic
www.srce.unizg.hr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
