AD-Precreation using ktutil, kinit and adcli

Using computer object precreation you can enable machines to join an Active Directory domain with knowledge of just one dedicated one-time-password. Combined with delegation you can offload management of computer objects to an otherwise unprivileged AD user.

The procedure described in the following involves an AD user account that has been granted the permission to manage computer objects in an organizational unit (OU) of an Active Directory domain. This is usually accomplished by means of delegation of such permissions to a usergroup for that purpose and then making the user a member of that group. A domain administrator can perform such a delegation using the tool „Active Directory Users and Computers“ (ADUC), there using the assistant dialog „Delegate …“ found in the context menu of the OU.

Overview

In the following, the procedure is demonstrated with the following entities:

  • Active Directory domain: ad.example.com
  • Domain controller: dc01.ad.example.com
  • OU for joined computers: OU=Test Hosts,DC=ad,DC=example,DC=com
  • User with OU management delegation: serviceuser@ad.example.com
  • Regular user for computer object precreation: admin@ad.example.com
  • Machine to join: testhost1.ad.example.com

Step 1: Create a Keytab for an authorized User

  • Run this on: Domain Member.
  • Software requirements: ktutil (from krb5-user).

As a user who has delegation or is in a group with delegation (the latter is preferred) to create computer objects in the OU, create a keytab file for the own user principal:

serviceuser@ad:~ $ ktutil
ktutil: addent -password -p serviceuser@AD.EXAMPLE.COM -k 1 -e RC4-HMAC
...Enter password...
ktutil: wkt serviceuser.keytab
ktutil: quit
serviceuser@ad:~ $ 

Handle the keytab with care, it contains sufficient credentials to assume the identity of this user.

Step 2: Precreate a Computer Object

  • Run this on: Domain Member.
  • Software requirements: ktutil (from krb5-user), adcli.

A user who has read access to the keytab, on an arbitrary AD member machine, can now precreate computer objects in the OU, assigning a well-known one-time-password („secret123“ in this example) that can be used during the join of the target machine at later time:

admin@adminhost:~ $ kinit -k -t serviceuser.keytab \
serviceuser@AD.EXAMPLE.COM admin@adminhost:~ $ ccache=$(klist | awk -F 'FILE:' '/krb5cc/{print $2}') admin@adminhost:~ $ /usr/sbin/adcli preset-computer \ --domain=ad.example.com \ --domain-realm=AD.EXAMPLE.COM \ --domain-controller=dc01.ad.example.com \ --domain-ou="OU=Test Hosts,DC=ad,DC=example,DC=com" \ --login-user="serviceuser@AD.EXAMPLE.COM" \ --login-ccache="$ccache" \ --verbose \ --no-password \ --one-time-password="secret123" \ testhost1.ad.example.com

Step 3: Perform the AD-Join

  • Run this on: Machine to be joined.
  • Software requirements: adcli.

Make the one-time-password for the machine account of the computer object known to the root user of the target machine. On the target machine that is to be joined, as root user, perform the join:

root@testhost1:~ # adcli join \
    --domain=ad.example.com \
    --domain-realm=AD.EXAMPLE.COM \
    --domain-controller=dc01.ad.example.com \
    --host-fqdn=testhost1.ad.example.com \
    --verbose \
    --one-time-password="secret123"
This article is part of series "SAMBA4":
  1. AD-Precreation using ktutil, kinit and adcli
  2. Comparing Distinguished LDAP Names
Imprint RSS