Join a *Nix host to Active Directory without utilizing a clear text password

Aug. 21st 2013

 

Within QAS, the vastool command on *nix hosts is like the Swiss Army Knife of the QAS product.  This command allows an admin to verify authentication, list the QAS cache on that host, verify and remove Kerberos tickets, and join the host to an Active Directory domain just to name a few.  Today, I am going to discuss the join command, more specifically joining a host to Active Directory without using a plain text password.

Most customers wish to automate the process of joining a *nix host to Active Directory by a standalone script, or incorporating code into their kick start/jumpstart provisioning.  This can be accomplished, but the join command requires authentication to Active Directory with an account that possesses the necessary permissions to join a computer to Active Directory.  The most direct way to issue this command is:

Vastool –u ADUser@domain.com –w <password> join domain.com

 

The command above will join the current host to domain.com utilizing the Active Directory credentials for ADUser@domain.com.  The issue most customers have with this is that the password is clear text and would appear as clear text within their script.  The way around this is to create a ‘service’ account that has the necessary permissions to join a computer to active directory, and generate a key tab for this user.  This key tab can then be placed with the kick start files and referenced in the join command instead of passing a clear text password, as below:

Vastool –u ADUser@domain.com –k /etc/opt/quest/vas/sa.keytab join domain.com

 

The command above is the same as before, but now the vastool command is utilizing the key tab to perform the authentication rather than having a clear text password present.

In order to use this method, you will need to create a service account.  This account should be similar to most Windows service accounts in that, it does not force password expiration.  The msDS-KeyVersionNumber will need to be recorded for use in the generation commands of the account, this can be acquired by issuing the following from a QAS connected *nix host:

Vastool –u host/ attrs <ServiceAccountID> msDS-KeyVersionNumber

 

Once the key version is acquired, use the following commands to create a key tab for the service account:

Ktutil –k <Path>/<ServiceAccount>.keytab add –p <AccountUPN> -e arcfour-hmac-md5 –V <KeyVersionNumber> -w ‘password’
Ktutil –k <Path>/<SarviceAccount>.keytab add –p <AccountUPN> -e aes256-cts-hmac-sha1-96 –V <KeyVersionNumber> -w ‘password’
Ktutil –k <Path>/<ServiceAccount>.keytab add –p <AccountUPN> -e aes128-cts-hmac-sha1-96 –V <KeyVersionNumber> -w ‘password’

 

Make sure to include the single quotes around the password at the end to mitigate any issues with miss-interpreting special characters that may exist in the password.

Once the key tab has been completed, it can be placed with the provisioning files and referenced for vastool commands.

 

 

Author: Russ Burden, Technical Architect, LeadThem Consulting

 

 ———————————————————————————————————————————————————————————————-

 

 

Posted by LeadThem Consulting | in Authentication Services | Comments Off on Join a *Nix host to Active Directory without utilizing a clear text password
logos

LeadThem Consulting
20418 SE Hwy 212
Damascus, OR 97089