I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos.
Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit
. If this were to be done manually, I would do this:
kinit [email protected]
This prompts for the AD user password, hence there is a problem with automate this.
How can I automate this? I've found some posts mentioning using kadmin
to create a database with the AD users password in it, but I've had no luck.
Stupid me, you can simply use following command:
While you can just hard-code the password into your automation, the more correct Kerberos way to do this is to create a keytab for the principal and then use that to authenticate.
kinit
supports authenticating from a keytab using the-k -t <keytab-path>
options.The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you don't have to add code to read a password from a separate file). It can also be created with standard commands (with an AD KDC, use
ktpass
). There are some more advantages if you had a Linux KDC, such as easily randomizing keys stored in the keytab rather than using a weaker password.According to the man-page you might use:
So you just might provide your password via a file.