13

I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos.

Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit. If this were to be done manually, I would do this:

kinit aduser@REALM.COM

This prompts for the AD user password, hence there is a problem with automate this.

How can I automate this? I've found some posts mentioning using kadmin to create a database with the AD users password in it, but I've had no luck.

Abhijeet Kasurde
  • 983
  • 9
  • 20
tore-
  • 1,396
  • 2
  • 10
  • 18

3 Answers3

22

Stupid me, you can simply use following command:

echo "password" | kinit aduser@REALM
Abhijeet Kasurde
  • 983
  • 9
  • 20
tore-
  • 1,396
  • 2
  • 10
  • 18
21

While you can just hard-code the password into your automation, the more correct Kerberos way to do this is to create a keytab for the principal and then use that to authenticate. kinit supports authenticating from a keytab using the -k -t <keytab-path> options.

The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you don't have to add code to read a password from a separate file). It can also be created with standard commands (with an AD KDC, use ktpass). There are some more advantages if you had a Linux KDC, such as easily randomizing keys stored in the keytab rather than using a weaker password.

rra
  • 630
  • 6
  • 10
  • 2
    Keytab definitely seems to be the way to go. If you generate this in kadmin, make sure to use the `-norandkey` flag in ktadd if you don't want to invalidate the existing password. – Dennis Jaheruddin Aug 08 '16 at 14:11
2

According to the man-page you might use:

kinit --password-file="~/my.secret" aduser@REALM.COM

So you just might provide your password via a file.

techraf
  • 4,243
  • 8
  • 29
  • 44
Nico Stöckigt
  • 31
  • 1