blob: 28f5b92b43093e4476411dbe13028f47726826d9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
Title: How to join Active Directory domains with a One Time Password
Date: 2014-05-06 14:23
Tags: active-directory
Slug: how-to-join-active-directory-domains
[realmd][] and [adcli][] allow you to join a domain with a one time
password.
That is: a domain administrator can prepare a one time password, and
that one time password can later be used (usually by someone else) to
join a specific computer to the domain.
[FreeIPA][] supports this natively. But adcli also accomplishes this for
Active Directory domains. People have been asking how that happens.
Each computer in an Active Directory domain has a computer account. Each
computer account has a computer password. Normally this password is
[randomly generated][] while joining the domain.
When you choose the *Reset Password* option in the Active Directory UI,
this password is set to a predictable string, which is just the computer
account name in lower case (ie: `samAccountName` without the dollar
sign).
![Reset computer](images/reset-computer.png)
Since computer accounts can (by default) change their own account
passwords, reseting a computer account allows anyone to claim the
computer account, by changing its password from this known password to a
generated one.
realmd takes advantage of the above, and will automatically join a
domain if the relevant computer account has been reset.
In addition adcli has a `preset-computer` mode which allows an
administrator to generate a new computer account, and set its paswsord
to a one time use password.
:::text
$ adcli preset-computer --domain=ad.example.com --one-time-password=ThisIsthe1xPass computer1.example.com
Password for Administrator@AD.EXAMPLE.COM:
computer-name: COMPUTER1
This one time password can later be used with realmd to have it join the
computer account, like so:
:::text
$ hostname
computer1.example.com
$ realm join --one-time-password=ThisIsthe1xPass ad.example.com
Or you can use this one time password with kickstart, as shown here:
<iframe allowfullscreen="" src="//www.youtube.com/embed/1Tm1jZ8fpW4" frameborder="0" height="720" width="960"></iframe>
[realmd]: http://www.freedesktop.org/software/realmd/docs/
[adcli]: http://www.freedesktop.org/software/realmd/adcli/adcli.html
[FreeIPA]: http://www.freeipa.org/page/Main_Page
[randomly generated]: http://cgit.freedesktop.org/realmd/adcli/tree/library/adenroll.c#n185
|